Redis is a in memory key-value database. Due to the nature of the database design, typical use cases are session caching, full page cache, message queue applications, leaderboards and counting among others.
By default, the service runs on port 6379. In my case, redis was running on a range of ports 7081-7090. So an nmap with -p- or -p1-65535 and -sV should identify redis service.
In my example 172.17.0.2 is a server running redis service on port 6379
Nmap scan result looks like this
Nmap scan report for 172.17.0.2
Host is up (0.000045s latency).
PORT STATE SERVICE VERSION
6379/tcp open redis Redis key-value store
Redis is sometimes configured without authentication listening on all interfaces. So the redis service can be found over the network without authentication.
You can run the following redis-info script from nmap to verify if redis is running without authentication. The script runs ‘info’ command after connecting to the redis server.
https://nmap.org/nsedoc/scripts/redis-info.html
Redis also allows writing to any file on the target server based on the account that runs the redis service.
I’ve written a script that automates the task of exploiting unauthenticated write access to the OS file system.
Usage:
1) Write to any path on the file system
python redis.py <RHOST> <PORT> -write <path>
for e.g.: python redis.py 172.17.0.2 6379 -write /tmp/GIStest.txt
2) Generate ssh key pairs and write to the authorized_keys files and get ssh access to the server.
python redis.py <RHOST> <PORT> -ssh <user>
for e.g.: python redis.py 172.17.0.2 6379 -ssh root
The script can be found at the following link:
https://github.com/buffered4ever/Exploits/tree/master/redis