Q: What are some common ways to get a shell from an unauthenticated Redis instance?
A: Common methods to gain a shell from an unauthenticated Redis instance include:
- Writing a Web Shell: Using Redis to write a malicious script (e.g., a PHP web shell) to the web directory.
- Uploading a Web Shell: Uploading a web shell file to the Redis server and then reading it.
- Executing Arbitrary Commands: Exploiting Redis to execute system commands.
- Storing a Trojan: Storing a trojan payload in Redis and then triggering its execution.
- Using RDB Persistence: Injecting a web shell into a Redis RDB backup file.
- Using AOF Persistence: Injecting commands into the Redis AOF file.
- Master-Slave Replication: Using a compromised master to push malicious data to a slave.
- Exploiting the
EVALCommand: Sending a malicious LUA script to Redis for execution. - Using Message Queues: Sending a payload as a message to be executed by a worker.
- Using the
EVALCommand: Executing a LUA script to gain a reverse shell.