REDIS Exploitation

Redis is a really dangerous service that we can use to load modules and other cool stuff while there are other open services around.

Logo6379 - Pentesting Redis - HackTricksbook.hacktricks.xyz

This guide has all we need to know.

LogoGitHub - n0b0dyCN/RedisModules-ExecuteCommand: Tools, utilities and scripts to help you write redis modules!GitHub

This github will have the module.so that we need, just type "make".

If we know and the service has write access try to upload files to the directories that a webserver is running. /var/www/html is a common one.

So the key is to look around in places that we have file upload vulnerability and figure out paths.

/var/ftp/anon/<directory-name-if-applies> is usaully where the anonymous root folder is located at.

LogoGitBookapp.gitbook.com

REDIS + LFI

With the Local File Inclusion you could possibly use it to locate the credentials for the redis service.

Possible Locations

Now with credentials we can authenticate using the following command.

The next thing we should try to do is enumerate the places we can write to using the configuration file of redis as well. This will be done through local file inclusion.

Once done it will give you a bunch of places where redis can write to, so now what we can do is invoke a php reverse shell or make the computer get our reverse shell.

We then navigate to it with the LFI and we should get the cmd parameter. The rest is up to you.

This other method will require us to curl a shell.sh file.

So we create a shell.sh file.

We will host a webserver on whatever port we want. With redis we will execute the following command and use local file inclusion to execute the php code.

Use local file inclusion to navigate to the php file.

Redis 4.x / 5.x Exploitation

LogoGitHub - Ridter/redis-rce: Redis 4.x/5.x RCEGitHub

Use the exact same path as that In order to order for it to work. Then upgrade your shell using socat.

PreviousMS17-10 Eternal BlueNextOpenSMTPD < 6.6.2

Last updated