Redis service unauthenticated write access to OS file system

Redis is a in memory key-value database. Due to the nature of the database design, typical use cases are session caching, full page cache, message queue applications, leaderboards and counting among others.

By default, the service runs on port 6379. In my case, redis was running on a range of ports 7081-7090. So an nmap with -p- or -p1-65535 and -sV should identify redis service.

In my example is a server running redis service on port 6379

Nmap scan result looks like this

Nmap scan report for
Host is up (0.000045s latency).
6379/tcp open  redis   Redis key-value store

Redis is sometimes configured without authentication listening on all interfaces. So the redis service can be found over the network without authentication.

You can run the following redis-info script from nmap to verify if redis is running without authentication. The script runs ‘info’ command after connecting to the redis server.

Redis also allows writing to any file on the target server based on the account that runs the redis service.

I’ve written a script that automates the task of exploiting unauthenticated write access to the OS file system.


1) Write to any path on the file system

python <RHOST> <PORT> -write <path>

for e.g.: python 6379 -write /tmp/GIStest.txt

2) Generate ssh key pairs and write to the authorized_keys files and get ssh access to the server.

python <RHOST> <PORT> -ssh <user>

for e.g.: python 6379 -ssh root

The script can be found at the following link:

Leave a comment

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: