search

yannh / redis-dump-go

Backup & Restore your Redis server - FAST
MIT License
280 stars 58 forks source link

Special characters in password #36

Closed xacnio closed 2 years ago

xacnio commented 2 years ago

Version: v0.7.0 Platform: Linux CentOS 7.9.2009 x86_64

https://github.com/yannh/redis-dump-go/blob/0c04870cf202049a4a882a538cb52d59ad0322e1/main.go#L109-L114

Why its using url.QueryEscape for password? I have a password with special characters. And result: ERR invalid password

Example Password for this issue (randomly generated, safe, not using anywhere): ,u[!m&bd3*+tQK,ZC#YS%=}Fn#qw)~$<

Script

#!/bin/sh
export REDISDUMPGO_AUTH=",u[!m&bd3*+tQK,ZC#YS%=}Fn#qw)~$<"
./redis-dump-go

I tried without QueryEscape and its worked for me.

yannh commented 2 years ago

Interesting, comes from https://github.com/yannh/redis-dump-go/pull/28 . Probably should add some tests around this and figure out what the corret encoding should be :thinking:

xacnio commented 2 years ago

I wrote a test on bash. In loop, it's changing password and trying every char. I think it doesn't need url encode or QueryEscape anymore. But i don't know, you can check too.

Test run with QueryEscape: test1.txt Test run without QueryEscape: test2.txt

Test script:

#!/bin/bash

foo="!\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_\`abcdefghijklmnopqrstuvwxyz{|}~ €‚ƒ„…†‡ˆ‰Š‹ŒŽ‘’“”•–—˜™š›œžŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ"
for (( i=0; i<${#foo}; i++ )); do
  tmp_pass="${foo:$i:1}"
  sh redis-change-pass.sh "" "${tmp_pass}" > /dev/null
  export REDISDUMPGO_AUTH="${tmp_pass}" 
  ./redis-dump-go -s > /dev/null
  #./main -s > /dev/null # other build
  echo " Char: ${tmp_pass}"  
  echo "==============="
  sh redis-change-pass.sh "${tmp_pass}" "" > /dev/null
done

redis-change-pass.sh

#!/bin/sh

redis-cli <<EOF
AUTH "$1"
config set requirepass "$2"
EOF
yannh commented 2 years ago

Hi @Xacnio , I will write a test for this, but just to be sure - could you use simple quotes around your password? I am concerned bash might try to interpret some of the characters in it.

xacnio commented 2 years ago

Hi, I'm not sure i understand. But I tried some things. I hope it helps you.

[root@localhost redistest]# export REDISDUMPGO_AUTH=",u[!m&bd3*+tQK,ZC#YS%=}Fn#qw)~$<"
export REDISDUMPGO_AUTH=",u[mkdir redistest&bd3*+tQK,ZC#YS%=}Fn#qw)~$<"
[root@localhost redistest]# ./redis-dump-go
ERR invalid password

If i use double quotes, bash is using last command that starts with 'm' in the string. !m is interpreted as mkdir redistest. Because there is an exclamation mark in my password. So i changed the double quotes as single quotes.

[root@localhost redistest]# export REDISDUMPGO_AUTH=',u[!m&bd3*+tQK,ZC#YS%=}Fn#qw)~$<'
[root@localhost redistest]# export
............
declare -x REDISDUMPGO_AUTH=",u[!m&bd3*+tQK,ZC#YS%=}Fn#qw)~\$<"
............
[root@localhost redistest]# ./redis-dump-go
ERR invalid password

Now, I deleted the dollar character in my password because $ was converted to \$. But the result is same. 

[root@localhost redistest]# export REDISDUMPGO_AUTH=',u[!m&bd3*+tQK,ZC#YS%=}Fn#qw)~<'
[root@localhost redistest]# ./redis-dump-go
ERR invalid password

I changed redis-server's password with redis-cli during my attempts. Passwords are correct in normally.

[root@localhost redistest]# redis-cli
127.0.0.1:6379> auth ,u[!m&bd3*+tQK,ZC#YS%=}Fn#qw)~<
OK
127.0.0.1:6379>
hossainemruz commented 2 years ago

Hi! I am facing the same issue for nX*WqzyE0CkQ2k3x password. It worked after removing ur.QueryEscape().

❯ export REDISDUMPGO_AUTH='nX*WqzyE0CkQ2k3x'
❯ redis-dump-go
WRONGPASS invalid username-password pair or user is disabled.

Redis Version: 7.0.4 redis-dump-go version: 0.7.2