Redis database is relatively common in intranet penetration. Combined with the recent utilization process, record it as follows:
Download Redis in the intranet machine, unzip and make it, no need to make install
A) Under normal circumstances, you know the path and write the shell
./redis-cli -h IP config set dir /home/wwwroot/default/ config set dbfilename redis.php set webshell " phpinfo(); ?>" save
B) Use the public key to log in without a password 1 Generate the public key locally 2 Use redis to back up the public key to the redis machine C) Use the Linux task to rebound the shell
1 /var/spool/cron The default scheduled task under the Linux machine, When cron is turned on, Linux will regularly execute the tasks inside. The file name is username 2. Redis sets dbfilename to the above and you can directly bounce the shell back. In summary, the above three methods are mainly used to obtain the permissions of the redis server, because redis is generally They are all started with root privileges, so they have great permissions.
But there will always be unexpected situations during the penetration process, are there any?
The first method, if the redis database is too large, causing the PHP horse to exceed the limit, and directly 500 will not be parsed, then we can write a horse to the web directory through the third command
*/1 * * * * echo " phpinofo();?>" >/var/www/html/90sec.php;crontab -r
Such a horse will be no problem
The second way, I tested the machine without any problem, but when it comes to the penetration environment, there is a problem. It should be the ssh password-free login. The ssh directory permissions problem, the chance of success is not very high
The third way, the favorite one , simple, crude and clear, even elevating privileges is omitted (if it is an important machine, the root user will usually have scheduled tasks. It is recommended to use a low-privileged user to rebound a shell to explore the situation first, in root), but I also encountered very strange things. If you don’t allow machines to connect to the external network, you can only write a shell to the web directory, or monitor a bashshell on the internal network, and connect yourself. Another discovery of redis is that higher versions of Linux cannot escalate privileges. , we can also directly escalate privileges through redis, which is a method for third-party software to escalate privileges.
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
Video Face Swap
Swap faces in any video effortlessly with our completely free AI face swap tool!
Hot Article
Hot Tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
MantisBT
Mantis is an easy-to-deploy web-based defect tracking tool designed to aid in product defect tracking. It requires PHP, MySQL and a web server. Check out our demo and hosting services.
Dreamweaver CS6
Visual web development tools
ZendStudio 13.5.1 Mac
Powerful PHP integrated development environment
SublimeText3 Chinese version
Chinese version, very easy to use
