Port 6379 (REDIS)
Dumping Database
Inside Redis the databases are numbers starting from 0. You can find if anyone is used in the output of the command info inside the "Keyspace" chunk:
Or you can just get all the keyspaces (databases) with:
In that example the database 0 and 1 are being used. Database 0 contains 4 keys and database 1 contains 1. By default Redis will use database 0. In order to dump for example database 1 you need to do:
In case you get the following error -WRONGTYPE Operation against a key holding the wrong kind of value while running GET <KEY> it's because the key may be something else than a string or an integer and requires a special operator to display it.
To know the type of the key, use the TYPE command, example below for list and hash keys.
Dump the database with npm redis-dump or python redis-utils
Redis RCE
Interactive Shell
redis-rogue-server can automatically get an interactive shell or a reverse shell in Redis(<=5.0.5).
PHP Webshell
After you did the command info, you must know the path of the Web site folder:
SSH
Generate a ssh public-private key pair on your pc:
Write the public key to a file:
Import the file into redis:
Save the public key to the authorized_keys file on redis server:
**Finally, you can ssh to the redis server with private key:
This technique is automated here: https://github.com/Avinash-acid/Redis-Server-Exploit
Load Redis Module
Following the instructions from https://github.com/n0b0dyCN/RedisModules-ExecuteCommand you can compile a redis module to execute arbitrary commands.
Then you need some way to upload the compiled module (for example ftp)
Load the uploaded module at runtime
List loaded modules to check it was correctly loaded:
Execute commands:
Unload the module whenever you want:
Last updated