6379 - Pentesting Redis
Last updated
Last updated
Redis is an open source (BSD licensed), in-memory data structure store, used as a database, cache and message broker (from ). By default and commonly Redis uses a plain-text based protocol, but you have to keep in mind that it can also implement ssl/tls. Learn how to .
Default port: 6379
Some automated tools that can help to obtain info from a redis instance:
Redis is a text based protocol, you can just send the command in a socket and the returned values will be readable. Also remember that Redis can run using ssl/tls (but this is very weird).
In a regular Redis instance you can just connect using nc or you could also use redis-cli:
The first command you could try is info. It may return output with information of the Redis instance or something like the following is returned:
In this last case, this means that you need valid credentials to access the Redis instance.
By default Redis can be accessed without credentials. However, it can be configured to support only password, or username + password.
It is possible to set a password in redis.conf file with the parameter requirepass or temporary until the service restarts connecting to it and running: config set requirepass p@ss$12E45.
Also, a username can be configured in the parameter masteruser inside the redis.conf file.
Valid credentials will be responded with: +OK
If the Redis instance is accepting anonymous connections or you found some valid credentials, you can start enumerating the service with the following commands:
You can also monitor in real time the Redis commands executed with the command monitor or get the top 25 slowest queries with slowlog get 25
Inside Redis the databases are numbers starting from 0. You can find if anyone is used in the output of the command info inside the "Keyspace" chunk:
In that example the database 0 and 1 are being used. Database 0 contains 4 keys and database 1 contains 1. By default Redis will use database 0. In order to dump for example database 1 you need to do:
If the webshell access exception, you can empty the database after backup and try again, remember to restore the database.
In the output of config get * you could find the home of the redis user (usually /var/lib/redis or /home/redis/.ssh), and knowing this you know where you can write the authenticated_users file to access via ssh with the user redis. If you know the home of other valid user where you have writable permissions you can also abuse it:
Generate a ssh public-private key pair on your pc: ssh-keygen -t rsa
Write the public key to a file : (echo -e "\n\n"; cat ./.ssh/id_rsa.pub; echo -e "\n\n") > foo.txt
Import the file into redis : cat foo.txt | redis-cli -h 10.85.0.52 -x set crackit
Save the public key to the authorized_keys file on redis server:
Finally, you can ssh to the redis server with private key : ssh -i id_rsa test@10.85.0.52
The last exampleis for Ubuntu, for Centos, the above command should be: redis-cli -h 10.85.0.52 config set dir /var/spool/cron/
Then you need some way to upload the compiled module
Load the uploaded module at runtime with MODULE LOAD /path/to/mymodule.so
List loaded modules to check it was correctly loaded: MODULE LIST
Execute commands:
Unload the module whenever you want: MODULE UNLOAD mymodule
The master redis all operations are automatically synchronized to the slave redis, which means that we can regard the vulnerability redis as a slave redis, connected to the master redis which our own controlled, then we can enter the command to our own redis.
If you can send clear text request to Redis, you can communicate with it as Redis will read line by line the request and just respond with errors to the lines it doesn't understand:
Therefore, if you find a SSRF vuln in a website and you can control some headers (maybe with a CRLF vuln) or POST parameters, you will be able to send arbitrary commands to Redis.
In Gitlab11.4.7 were discovered a SSRF vulnerability and a CRLF. The SSRF vulnerability was in the import project from URL functionality when creating a new project and allowed to access arbitrary IPs in the form [0:0:0:0:0:ffff:127.0.0.1] (this will access 127.0.0.1), and the CRLF vuln was exploited just adding %0D%0A characters to the URL.
Therefore, it was possible to abuse these vulnerabilities to talk to the Redis instance that manages queues from gitlab and abuse those queues to obtain code execution. The Redis queue abuse payload is:
And the URL encode request abusing SSRF and CRLF to execute a whoami and send back the output via nc is:
In cases like this one you will need to find valid credentials to interact with Redis so you could try to **it. In case you found valid credentials you need to authenticate the session** after establishing the connection with the command:
Other Redis commands and . Note that the Redis commands of an instance can be renamed or removed in the redis.conf file. For example this line will remove the command FLUSHDB:
More about configuring securely a Redis service here:
Find more interesting information about more Redis commands here:
Dump the database with npm or python ****
From: You must know the path of the Web site folder:
This technique is automated here:
This method can also be used to earn bitcoin :
Following the instructions from you can compile a redis module to execute arbitrary commands.
you can see that Redis uses the command EVAL to execute Lua code sandboxed. In the linked post you can see how to abuse it using the dotfile function, but this isn't no longer possible. Anyway, if you can bypass the Lua sandbox you could execute arbitrary commas on the system. Also, from the same post you can see some options to cause DoS.
For some reason (as for the author of where this info was took from) the exploitation worked with the git scheme and not with the http scheme.