Closed xacnio closed 2 years ago
Interesting, comes from https://github.com/yannh/redis-dump-go/pull/28 . Probably should add some tests around this and figure out what the corret encoding should be :thinking:
I wrote a test on bash. In loop, it's changing password and trying every char. I think it doesn't need url encode or QueryEscape anymore. But i don't know, you can check too.
Test run with QueryEscape: test1.txt Test run without QueryEscape: test2.txt
Test script:
#!/bin/bash
foo="!\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_\`abcdefghijklmnopqrstuvwxyz{|}~ €‚ƒ„…†‡ˆ‰Š‹ŒŽ‘’“”•–—˜™š›œžŸ ¡¢£¤¥¦§¨©ª«¬®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ"
for (( i=0; i<${#foo}; i++ )); do
tmp_pass="${foo:$i:1}"
sh redis-change-pass.sh "" "${tmp_pass}" > /dev/null
export REDISDUMPGO_AUTH="${tmp_pass}"
./redis-dump-go -s > /dev/null
#./main -s > /dev/null # other build
echo " Char: ${tmp_pass}"
echo "==============="
sh redis-change-pass.sh "${tmp_pass}" "" > /dev/null
done
redis-change-pass.sh
#!/bin/sh
redis-cli <<EOF
AUTH "$1"
config set requirepass "$2"
EOF
Hi @Xacnio , I will write a test for this, but just to be sure - could you use simple quotes around your password? I am concerned bash might try to interpret some of the characters in it.
Hi, I'm not sure i understand. But I tried some things. I hope it helps you.
[root@localhost redistest]# export REDISDUMPGO_AUTH=",u[!m&bd3*+tQK,ZC#YS%=}Fn#qw)~$<"
export REDISDUMPGO_AUTH=",u[mkdir redistest&bd3*+tQK,ZC#YS%=}Fn#qw)~$<"
[root@localhost redistest]# ./redis-dump-go
ERR invalid password
If i use double quotes, bash is using last command that starts with 'm' in the string. !m
is interpreted as mkdir redistest
. Because there is an exclamation mark in my password. So i changed the double quotes as single quotes.
[root@localhost redistest]# export REDISDUMPGO_AUTH=',u[!m&bd3*+tQK,ZC#YS%=}Fn#qw)~$<'
[root@localhost redistest]# export
............
declare -x REDISDUMPGO_AUTH=",u[!m&bd3*+tQK,ZC#YS%=}Fn#qw)~\$<"
............
[root@localhost redistest]# ./redis-dump-go
ERR invalid password
Now, I deleted the dollar character in my password because $
was converted to \$
. But the result is same.
[root@localhost redistest]# export REDISDUMPGO_AUTH=',u[!m&bd3*+tQK,ZC#YS%=}Fn#qw)~<'
[root@localhost redistest]# ./redis-dump-go
ERR invalid password
I changed redis-server's password with redis-cli during my attempts. Passwords are correct in normally.
[root@localhost redistest]# redis-cli
127.0.0.1:6379> auth ,u[!m&bd3*+tQK,ZC#YS%=}Fn#qw)~<
OK
127.0.0.1:6379>
Hi! I am facing the same issue for nX*WqzyE0CkQ2k3x
password. It worked after removing ur.QueryEscape()
.
❯ export REDISDUMPGO_AUTH='nX*WqzyE0CkQ2k3x'
❯ redis-dump-go
WRONGPASS invalid username-password pair or user is disabled.
Redis Version: 7.0.4 redis-dump-go version: 0.7.2
Version: v0.7.0 Platform: Linux CentOS 7.9.2009 x86_64
https://github.com/yannh/redis-dump-go/blob/0c04870cf202049a4a882a538cb52d59ad0322e1/main.go#L109-L114
Why its using
url.QueryEscape
for password? I have a password with special characters. And result:ERR invalid password
Example Password for this issue (randomly generated, safe, not using anywhere):
,u[!m&bd3*+tQK,ZC#YS%=}Fn#qw)~$<
Script
I tried without QueryEscape and its worked for me.