Redis unauthorized vulnerability construction and reproduction

Others 2021-03-22 09:19:51 views: null

Introduction to redis

Redis(Remote Dictionary Server ), The remote dictionary service, is an open source log-type, Key-Value database that is written in ANSI C language, supports the network, and can be memory-based or persistent, and provides APIs in multiple languages. From March 15, 2010, the development of Redis is hosted by VMware. Since May 2013, the development of Redis has been sponsored by Pivotal.

Redis unauthorized vulnerability

By default, Redis will be bound to it 0.0.0.0:6379. If no relevant policies are adopted, such as adding firewall rules to avoid ip access from other untrusted sources, this will expose the Redis service to the public network. If password authentication is not set (generally If it is empty), it will cause any user to be unauthorized to access Redis and read Redis data when they can access the target server. In the case of unauthorized access to Redis 进行写文件操作, the attacker can use the config command provided by Redis itself. Yes , the attacker can successfully write his ssh public key into the authenticated_keys file in the /root/.ssh folder of the target server, and then You can use the corresponding private key to log in to the target server directly using the ssh service.

Recurrence preparation

system IP
linux 192.168.1.56
linux 192.168.1.58

Install command

下载文件
wget http://download.redis.io/releases/redis-2.8.17.tar.gz
解压文件
tar xzf redis-2.8.17.tar.gz
进入到解压的目录下
cd redis-2.8.17
make
安装好进入src
cd src
将redis-server和redis-cli拷贝到/usr/bin目录下(这样启动redis-server和redis-cli就不用每次都进入安装目录了)
cp redis-server /usr/bin
cp redis-cli /usr/bin
返回目录redis-2.8.17,将redis.conf拷贝到/etc/目录
cd ..
cp redis.conf /etc/
使用/etc/目录下的reids.conf文件中的配置启动redis服务
redis-server /etc/redis.conf

The installation is successful, clone to continue to reproduce

启动redis服务进程后,就可以使用测试攻击机程序redis-cli和靶机的redis服务交互了
./redis-cli -h IP

Unauthorized access vulnerability

./redis-cli -h IP Insert picture description here
redis service is open to the public network, and authentication is not enabled

Reference article

https://www.cnblogs.com/bmjoker/p/9548962.html

Guess you like

Origin blog.csdn.net/p_utao/article/details/113641778
Recommended
Ranking
A quick primer on numpy basics
Two sister tease python project
Java | Multiple keywords in the replacement content are returned to the front end in red style
C ++: references
The string leetcood 1018 is a binary prefix divisible by 5
Flutter 布局组件
Java combat spingboot-redis
PMP pre-exam sprint and wrong questions sorting
ActiveMq C# Message Features: Delayed and Timed Message Delivery
DSP28377S_ copy a program from the RAM to FLASH portion DETAILS
Daily
More
2024-05-16(23)
2024-05-15(5)
2024-05-14(9)
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)

Code World

© 2018 codetd.com