Home  >  Article  >  php教程  >  Redis anonymous access utilization tips

Redis anonymous access utilization tips

高洛峰
高洛峰Original
2016-11-14 09:22:461601browse

Redis database is relatively common in intranet penetration. Combined with the recent utilization process, record it as follows:

Download Redis in the intranet machine, unzip and make it, no need to make install

A) Under normal circumstances, you know the path and write the shell

./redis-cli -h IP  
config set dir /home/wwwroot/default/  
config set dbfilename redis.php 
set webshell " phpinfo(); ?>"  
save

B) Use the public key to log in without a password 1 Generate the public key locally 2 Use redis to back up the public key to the redis machine C) Use the Linux task to rebound the shell

1 /var/spool/cron The default scheduled task under the Linux machine, When cron is turned on, Linux will regularly execute the tasks inside. The file name is username 2. Redis sets dbfilename to the above and you can directly bounce the shell back. In summary, the above three methods are mainly used to obtain the permissions of the redis server, because redis is generally They are all started with root privileges, so they have great permissions.

But there will always be unexpected situations during the penetration process, are there any?

The first method, if the redis database is too large, causing the PHP horse to exceed the limit, and directly 500 will not be parsed, then we can write a horse to the web directory through the third command

*/1 * * * * echo " phpinofo();?>" >/var/www/html/90sec.php;crontab -r

Such a horse will be no problem

The second way, I tested the machine without any problem, but when it comes to the penetration environment, there is a problem. It should be the ssh password-free login. The ssh directory permissions problem, the chance of success is not very high

The third way, the favorite one , simple, crude and clear, even elevating privileges is omitted (if it is an important machine, the root user will usually have scheduled tasks. It is recommended to use a low-privileged user to rebound a shell to explore the situation first, in root), but I also encountered very strange things. If you don’t allow machines to connect to the external network, you can only write a shell to the web directory, or monitor a bashshell on the internal network, and connect yourself. Another discovery of redis is that higher versions of Linux cannot escalate privileges. , we can also directly escalate privileges through redis, which is a method for third-party software to escalate privileges.

Statement:
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn