漏洞描述
Redis因为配置不当,会导致未授权访问,在一定条件成立的情况下,Redis服务器以root身份运行,黑客就能够给root账户写入SSH公钥文件,然后直接通过SSH登录目标受害的服务器,就能够直接提权目标服务器,然后进行一系列的数据增删查改操作,甚至是泄露信息,勒索加密等等,会对日常业务造成恶劣的影响。
fofa: app="redis"
redis-unauthorized: Redis Unauthorized
PoC代码[已公开]
id: redis-unauthorized
info:
name: Redis Unauthorized
author: zan8in
severity: high
verified: true
description: |
Redis因为配置不当,会导致未授权访问,在一定条件成立的情况下,Redis服务器以root身份运行,黑客就能够给root账户写入SSH公钥文件,然后直接通过SSH登录目标受害的服务器,就能够直接提权目标服务器,然后进行一系列的数据增删查改操作,甚至是泄露信息,勒索加密等等,会对日常业务造成恶劣的影响。
fofa: app="redis"
reference:
- https://developer.aliyun.com/article/515894
tags: network,redis,unauth
set:
hostname: request.url.host
host: request.url.domain
rules:
r0:
request:
type: tcp
host: "{{hostname}}"
data: "*1\r\n$4\r\ninfo\r\n"
expression: response.raw.bcontains(b'redis_version') || response.raw.bcontains(b'72656469735f76657273696f6')
r1:
request:
type: tcp
host: "{{host}}:6379"
data: "*1\r\n$4\r\ninfo\r\n"
expression: response.raw.bcontains(b'redis_version') || response.raw.bcontains(b'72656469735f76657273696f6')
expression: r0() || r1()