{"id":633,"date":"2020-02-08T10:31:30","date_gmt":"2020-02-08T09:31:30","guid":{"rendered":"https:\/\/privat.andreas-klingler.de\/itsec\/?p=633"},"modified":"2021-01-09T15:03:36","modified_gmt":"2021-01-09T14:03:36","slug":"redis","status":"publish","type":"post","link":"https:\/\/infosec.andreas-klingler.de\/?p=633","title":{"rendered":"Redis"},"content":{"rendered":"\n<ul class=\"wp-block-list\"><li>Runs on port 6379 \u2014 needs a full nmap&nbsp;scan!<\/li><li>If conec\u00adtion is pos\u00adsi\u00adble via tel\u00adnet, use\u00adful com\u00admands&nbsp;are:&nbsp;<ul>\n<li>info<\/li>\n<li><span class=\"caps\">CONFIG<\/span> <span class=\"caps\">GET<\/span> *<\/li>\n<li>all keys:&nbsp;keys&nbsp;*<\/li>\n<li>It is pos\u00adsi\u00adble to deter\u00admine which direc\u00adto\u00adries&nbsp;exist:&nbsp;<ul>\n<li>\n<pre>config set dir \/var\/www\/htdocs\n-ERR Changing directory: No such file or directory\nset dir \/var\/www\n+OK\nset dir \/var\/www\/html\n+OK<\/pre>\n<\/li>\n<\/ul>\n<\/li>\n<li>Upload <span class=\"caps\">SSH<\/span> key via redis if there is write access to an user. An user\u00adname has to been&nbsp;known.&nbsp;<ul>\n<li><a href=\"https:\/\/book.hacktricks.xyz\/pentesting\/6379-pentesting-redis\">https:\/\/book.hacktricks.xyz\/pentesting\/6379-pentesting-redis<\/a><\/li>\n<li><a href=\"https:\/\/github.com\/Avinash-acid\/Redis-Server-Exploit\/blob\/master\/redis.py\">https:\/\/github.com\/Avinash-acid\/Redis-Server-Exploit\/blob\/master\/redis.py<\/a><\/li>\n<\/ul>\n<\/li>\n<li>Hint: if there is any write\u00adable direc\u00adto\u00adry which is avail\u00adable via a web serv\u00ader, try the <span class=\"caps\">SSH<\/span> writ\u00ading method to write a reverse shell file some\u00adwhere to a web serv\u00ader directory.<\/li>\n<li>Exe\u00adcute com\u00admands&nbsp;with&nbsp;<ul>\n<li>\n<pre>system.exec \"id\"<\/pre>\n<\/li>\n<\/ul>\n<\/li>\n<li>Com\u00adplete list of commands&nbsp;<ul>\n<li><a href=\"https:\/\/redis.io\/commands\">https:\/\/redis.io\/commands<\/a><\/li>\n<\/ul>\n<\/li>\n<li>See\n<ul>\n<li><a href=\"https:\/\/github.com\/Ridter\/redis-rce\">https:\/\/github.com\/Ridter\/redis-rce<\/a><\/li>\n<li><a href=\"https:\/\/github.com\/vulhub\/redis-rogue-getshell\">https:\/\/github.com\/vulhub\/redis-rogue-getshell<\/a><\/li>\n<\/ul>\n<\/li>\n<li>DON\u2019T use tel\u00adnet \/ nc \/ \u2026 Use redis-cli \u2011h &lt;ip&gt; to connect.<\/li>\n<li>Use redis-dump to dump a bad\u00adly con\u00adfig\u00adured redis instance&nbsp;<ul>\n<li>\n<pre>npm install redis-dump -g\nredis-dump -h 10.10.10.160 --json<\/pre>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li><\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Master\/slave configuration<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">In the master\/slave con\u00adfig\u00adu\u00adra\u00adtion, there is one mas\u00adter which allows only write access and n slaves which allow only read access.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Impor\u00adtant: The mas\u00adter must not be in the pro\u00adtect\u00aded&nbsp;mode.<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>If he can restart\u00aded or the con\u00adfig file can be changed, set the \u2013pro\u00adtect\u00aded-mode no&nbsp;flag.<\/li><li>If not:\n<ul>\n<li>On the mas\u00adter: Set the pass\u00adword&nbsp;with&nbsp;<ul>\n<li>\n<pre>config set requirepass mypass<\/pre>\n<\/li>\n<\/ul>\n<\/li>\n<li>On the slave: Set the mas\u00adter\u2019s pass\u00adword&nbsp;with&nbsp;<ul>\n<li>\n<pre>config set masterauth mypass<\/pre>\n<\/li>\n<\/ul>\n<\/li>\n<li>If a sys\u00adtem wan\u00adt\u2019s the pass\u00adword after log\u00adging in into the shell again, use the fol\u00adlow\u00ading to authenticate:&nbsp;<ul>\n<li>\n<pre>auth mypass<\/pre>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li><\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">Make a node a mas\u00adter (default):<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">redis&gt; slaveof no one<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Make a node a&nbsp;slave:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">redis&gt; slaveof &lt;master_ip&gt; &lt;master_port&gt;<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">The process is the fol\u00adlow\u00ading, see also the <a href=\"https:\/\/github.com\/LoRexxar\/redis-rogue-server\">redis-rogue-serv\u00ader script<\/a>, which needs the addi\u00adtion of <a href=\"https:\/\/github.com\/n0b0dyCN\/RedisModules-ExecuteCommand\">the Com\u00admand module.<\/a><\/p>\n\n\n\n<ol class=\"wp-block-list\"><li>Set to&nbsp;slave<\/li><li>Set out\u00adput db file to mod\u00adule filename<\/li><li>Per\u00adform sync, pass the mod\u00adule\u2019s bina\u00adry date escaped<\/li><li>Load the module<\/li><li>Set to master<\/li><\/ol>\n\n\n\n<p class=\"wp-block-paragraph\">Now the mod\u00adule is insert\u00aded. Note: The mod\u00adule exp.so has to be com\u00adpiled for the cor\u00adrect architecture.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Runs on port 6379 \u2014 needs a full nmap&nbsp;scan! If conec\u00adtion is pos\u00adsi\u00adble via tel\u00adnet, use\u00adful com\u00admands&nbsp;are:&nbsp; info <span class=\"caps\">CONFIG<\/span> <span class=\"caps\">GET<\/span> * all keys:&nbsp;keys&nbsp;* It is pos\u00adsi\u00adble to deter\u00admine which direc\u00adto\u00adries&nbsp;exist:&nbsp; con\u00adfig set dir \/var\/www\/htdocs \u2011<span class=\"caps\">ERR<\/span> Chang\u00ading direc\u00adto\u00adry: No such file or direc\u00adto\u00adry set dir \/var\/www +<span class=\"caps\">OK<\/span> set dir \/var\/www\/html +<span class=\"caps\">OK<\/span> Upload <span class=\"caps\">SSH<\/span> key via&nbsp;redis&nbsp;[\u2026]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"wp_typography_post_enhancements_disabled":false,"footnotes":""},"categories":[323],"tags":[179],"class_list":["post-633","post","type-post","status-publish","format-standard","hentry","category-protocol","tag-redis"],"_links":{"self":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/633","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=633"}],"version-history":[{"count":19,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/633\/revisions"}],"predecessor-version":[{"id":2155,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/633\/revisions\/2155"}],"wp:attachment":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=633"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=633"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=633"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}