Redis reverse shell

By using our site, you acknowledge that you have read and understand our Cookie PolicyPrivacy Policyand our Terms of Service. The dark mode beta is finally here.

Change your preferences any time. Stack Overflow for Teams is a private, secure spot for you and your coworkers to find and share information. I've been playing with redis and add some fun with it during the last fews days and I'd like to know if there is a way to empty the db remove the sets, the existing key During my tests, I created several sets with a lot of members, even created sets that I do not remember the name how can I list those guys though?

Any idea about how to get rid of all of them? FlushDB deletes all keys in the current database while FlushALL deletes all keys in all databases on the current host.

Learn more. How to empty a redis database? Ask Question. Asked 8 years, 11 months ago. Active 3 months ago. Viewed 94k times. Luc Luc 14k 29 29 gold badges silver badges bronze badges. Active Oldest Votes. Be careful here. Dexter Dexter 8, 8 8 gold badges 36 36 silver badges 56 56 bronze badges.

Is there any downside to using FlushDB to clear a specific database from production code? AlexNaspo potentially problematic since the bigger your DB is, the longer it will take to flush. Since numbered shared databases are managed by the same Redis server, this could block your other databases for that duration. If possible, refrain from using shared databases because of that and also because they aren't future-proof not supported in v3.

See here for more details: redislabs. ItamarHaber What is the most efficient way to delete or expire a set of keys that match a specific format?

redis reverse shell

AlexNaspo if you're using v2. See here for a bash script that does it: stackoverflow. Hieu Le Hieu Le 1, 1 1 gold badge 18 18 silver badges 23 23 bronze badges. Marc Marc 2, 23 23 silver badges 24 24 bronze badges. There are right answers but I just want to add one more option requires downtime : Stop Redis. Delete RDB file find location in redis. Start Redis. Denys Denys 7 7 silver badges 12 12 bronze badges.

Sign up or log in Sign up using Google. Sign up using Facebook. Sign up using Email and Password. Post as a guest Name. Email Required, but never shown. The Overflow Blog.A reverse shell is a shell session established on a connection that is initiated from a remote machine, not from the local host. Attackers who successfully exploit a remote command execution vulnerability can use a reverse shell to obtain an interactive shell session on the target machine and continue their attack.

A reverse shell also called a connect-back shell can also be the only way to gain remote shell access across a NAT or firewall. To establish a typical remote shell, a machine controlled by the attacker connects to a remote network host and requests a shell session — this is called a bind shell.

But what if the remote host is not directly accessible, for example because it has no public IP or is protected by a firewall? In this situation, a reverse shell might be used, where the target machine initiates an outgoing connection to a listening network host and a shell session is established.

Reverse shells are often the only way to perform remote maintenance on hosts behind a NAT, so they have legitimate administrative uses.

Introduction to Redis: Installation, CLI Commands, and Data Types

However, they can also be used by cybercriminals to execute operating system commands on hosts protected from incoming connections by a firewall or other network security systems. For example, a piece of malware installed on a local workstation via a phishing email or a malicious website might initiate an outgoing connection to a command server and provide hackers with a reverse shell capability.

Firewalls mostly filter incoming traffic, so an outgoing connection to a listening server will often succeed. When attempting to compromise a server, an attacker may try to exploit a command injection vulnerability on the server system. The injected code will often be a reverse shell script to provide a convenient command shell for further malicious activities. To start with, the attacker needs to start a listener process on their system to listen for reverse shell connections incoming to their IP address, for example On Linux, this can be as simple as one netcat command:.

This will start a netcat listener on port Now the attacker needs to manually or automatically execute code on the remote machine to connect to the listener. Kali Linux also comes with a set of ready webshellsincluding reverse shells. Codes are typically one-liners to allow injection using a single command. As with bash, a perl interpreter should be available on most Linux servers, so a perl command might be another way to obtain a reverse shell:. Unless you are deliberately using reverse shells for remote administration, any reverse shell connections are likely to be malicious.First we performed a few arbitrary tests without access to the source code and we discovered that a few unexpected input at some endpoints would crash the backend application.

We also noticed that the redis server was accessible from the WAN without authentication. We created this small Node. This Node. After a few minutes of analyzing the buggy endpoints in the code we noticed a bad practice issue that could lead to remote code execution.

The stringToRegexp function is evaluating user input to create a RegExp object and use it to find elements in an array.

We can insert our own Javascript code in the output variable and execute it. The stringToRegexp function will escape some characters and the output value will be evaluated. Visiting the address below will print a message on the server terminal. The Javascript code below is a Node. To execute the payload gracefully we used a little trick, we encoded our reverse shell payload to hexadecimal and used the Node.

It's highly recommended to avoid using the eval function in a Javascript project. The fix was rather simple, they started using using the RegExp object directly.


Toggle navigation Wiremask. Articles Writeups Tools Contact Policies. The architecture is rather simple there is only three Linux servers. Our next step was to review the Node. Simplified vulnerable application We created this small Node. The Node. Socket ; client.The recommended client s for a language are marked with a.

Clients with some activity in the official repository within the latest six months are marked with a. Want your client listed here?

Please fork the redis-doc repository and edit the clients. Submit a pull request and you are done. This is an additional list of libraries that are not direct layers on top of the Redis API, but higher level libraries such as ORMs, messaging libraries, and other misc tools that are designed for Redis. Resque Repository defunkt Resque is a Redis-backed Ruby library for creating background jobs, placing them on multiple queues, and processing them later. Ruby Rq Repository nvie Minimalistic Python task queue.

Supports only Redis.

redis reverse shell

Python Celery Repository asksol Python task queue. Supports multiple backends. Ruby Ohm Repository soveran Object-hash mapping library for Redis. Python readis Repository Homepage hollodotme Lightweight web frontend in PHP for reading data, stats and config from multiple Redis servers. Python Redis-rdb-tools Repository srithedabbler Parse Redis dump. What's more, it won't crash when loading a large number of keys.

Javascript Rdb-parser Repository pconstr node. Javascript Redis-sync Repository pconstr A node. Ruby Rollout Repository jamesgolick Conditionally roll out features with Redis. C Soulmate Repository seatgeek Redis-backed service for fast autocompleting.

Warning: alpha code. Ruby Sidekiq Repository mperham Simple, efficient message processing for your Rails 3 application. Ruby Omhiredis Repository taotetek Redis output plugin for rsyslog rsyslog dev, and rsyslog head. Python Retools Repository benbangert Caching and locking helper library.

redis reverse shell

Python Redback Repository Higher-level Redis constructs - social graph, full text search, rate limiting, key pairs. Javascript Recurrent Repository pconstr A Redis-backed manager of recurrent jobs, for node. Python redis-mount Repository Homepage poying redis-mount lets you use Redis as a filesystem.

Perl Redset Repository percolate Simple, generic sorted sets backed by Redis that can be used to coordinate distributed systems.It could be because of a SSRF vulnerability or a misconfigured proxy. In both situations, all you need is to fully control at least one line of the request. Which is pretty common in these scenarios ;- Of course, the CLI client 'redis-cli' does not support HTTP proxying and we will need to forge our commands ourself, encapsulated in valid HTTP requests and sent via the proxy.

Everything was tested under version 2. It's old, but that's what the target was using All you need to know right now is that the interface is very forgiving and will try to parse every provided input until a timeout or the 'QUIT' command. It may only quietly complain via messages like "-ERR unknown command". When exploiting a SSRF vulnerability or a misconfigured proxy, the first task is usually to scan for known services. As an attacker, I look for services bound to loopback only, using source-based authentication or just plain insecure "because they are not reachable from the outside".

And I was quite happy to see these strings in my logs:. And given no HTTP headers match a existing Redis command, there's a lot of "unknown command" error messages. In my context, the requests were nearly fully controlled by myself and then emitted via a Squid proxy. That means that 1 the HTTP requests must be valid, in order to be processed by the proxy 2 the final requests reaching the Redis database may be somewhat normalized by the proxy.

Now, just send a few basic commands in blue :. This the binary-safe version of the Redis protocoland it is needed if you want to use a parameter including spaces. Now that we can easily discuss with the server, a recon phase is needed. Here's the ouput of "INFO" on my test machine:. The next step is, of course, the file-system. The sandbox allows the dofile command WHY???

It can be used to enumerate files and directories. If the Lua script is syntaxically invalid or attempts to set global variables, the error messages will leak some content of the target file:. Another scenario, probably not very common, is calling dofile on valid Lua files and returning the variables defined there.

Redis provides redis. So you can offload your SHA-1 cracking to open Redis servers.ADR Templates. Agile Pulse Model.

Subscribe to RSS

Agile Roles. Consensus by RFC. Decision Boards. Delegation Poker. Depth of Kanban. Kanban - Kaizen. Lean Value Stream. Scaled Agile. Team of Teams. Use Cases. User Stories. Wardley Maps. Container Orchestration. Docker Compose. Docker Swarm. Helm Best Practices. Helm Templates. Hubot - Howto.

Jenkins Docs. Jenkins Pipeline DSL. Puppet - Hiera. Puppet - Iterating. Kernel Tracing. Linux Insides. Package Management. Sysctl - Net. UEFI Install. Redis Sentinel. JSON Schema. Ruby Bundler.By using our site, you acknowledge that you have read and understand our Cookie PolicyPrivacy Policyand our Terms of Service.

The dark mode beta is finally here. Change your preferences any time. Stack Overflow for Teams is a private, secure spot for you and your coworkers to find and share information. When you run command from cli redis don't uses default database. To get information about databases which has some keys use command:. Learn more. Asked 4 years, 9 months ago.

redis reverse shell

Active 2 years, 6 months ago. Viewed 12k times. Yan Lincle Yan Lincle 1 1 gold badge 1 1 silver badge 5 5 bronze badges. Active Oldest Votes. Mark Setchell Mark Setchell k 13 13 gold badges silver badges bronze badges. I guess redis-cli is not on your PATH - where did you install it to? Don't make your OS spawn a process just to type in a command. Recommend upvoting Konstantin's answer.

Konstantin Yaniv Konstantin Yaniv 4 4 bronze badges. Sign up or log in Sign up using Google. Sign up using Facebook. Sign up using Email and Password. Post as a guest Name. Email Required, but never shown. The Overflow Blog. Q2 Community Roadmap. The Unfriendly Robot: Automatically flagging unwelcoming comments. Featured on Meta. Community and Moderator guidelines for escalating issues via new response….


Leave a Reply

Your email address will not be published. Required fields are marked *