From 7eb1f0706250215b1825c634b0c3c7dc20dfe5ac Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mustafa=20=C3=87alap?= Date: Tue, 15 Oct 2019 14:03:19 +0200 Subject: [PATCH 1/2] Add documentation for redis file_upload module --- .../auxiliary/scanner/redis/file_upload.md | 48 +++++++++++++++++++ 1 file changed, 48 insertions(+) create mode 100644 documentation/modules/auxiliary/scanner/redis/file_upload.md diff --git a/documentation/modules/auxiliary/scanner/redis/file_upload.md b/documentation/modules/auxiliary/scanner/redis/file_upload.md new file mode 100644 index 0000000000..8019fefa2f --- /dev/null +++ b/documentation/modules/auxiliary/scanner/redis/file_upload.md @@ -0,0 +1,48 @@ +## Description + +Redis is an in-memory data structure project implementing a distributed, in-memory key-value database with optional durability. Redis supports different kinds of abstract data structures, such as strings, lists, maps, sets, sorted sets, HyperLogLogs, bitmaps, streams, and spatial indexes. + +This module can be used to leverage functionality exposed by Redis to achieve somewhat arbitrary file upload to a file and directory to which the user account running the redis instance has access. It is not totally arbitrary because the exact contents of the file cannot be completely controlled given the nature of how Redis stores its database on disk. + +## Vulnerable Application + +This module is tested on two different Redis server instances. +Virtual testing environments (inside docker container): + + - Redis 5.0.6 + - Redis 4.0.14 + +## Verification Steps + + 1. Do: `use auxiliary/scanner/redis/file_upload` + 2. Do: `set rhosts [ips]` + 3. Do: `set LocalFile [local_file_path_to_be_uploaded]` + 4. Do: `set RemoteFile [remote_file_destination]` + 5. Do: `run` + +## Options + +**FLUSHALL** + +If set to `true`, redis server will remove all redis data before saving. Defaults to `false`. + +**DISABLE_RDBCOMPRESSION** + +If set to `false`, redis server will disable compression before saving. Defaults to `true`. + +## Scenarios + +### Redis:4.0.14 inside a docker container + ``` +msf5 auxiliary(scanner/redis/file_upload) > set RHOSTS 172.17.0.2 +RHOSTS => 172.17.0.2 +msf5 auxiliary(scanner/redis/file_upload) > set LocalFile redis_upload_test.txt +LocalFile => redis_upload_test.txt +msf5 auxiliary(scanner/redis/file_upload) > set RemoteFile redis_upload_test.txt +RemoteFile => redis_upload_test.txt +msf5 auxiliary(scanner/redis/file_upload) > run + +[+] 172.17.0.2:6379 - 172.17.0.2:6379 -- saved 23 bytes inside of redis DB at redis_upload_test.txt +[*] 172.17.0.2:6379 - Scanned 1 of 1 hosts (100% complete) +[*] Auxiliary module execution completed + ``` \ No newline at end of file From c35554b37cb18be70d29561d95b83cf44d360b61 Mon Sep 17 00:00:00 2001 From: h00die Date: Sun, 20 Oct 2019 20:34:11 -0400 Subject: [PATCH 2/2] redis doc touchup --- .../auxiliary/scanner/redis/file_upload.md | 20 +++++++++++++------ .../auxiliary/scanner/redis/redis_server.md | 2 +- 2 files changed, 15 insertions(+), 7 deletions(-) diff --git a/documentation/modules/auxiliary/scanner/redis/file_upload.md b/documentation/modules/auxiliary/scanner/redis/file_upload.md index 8019fefa2f..1107eee9ad 100644 --- a/documentation/modules/auxiliary/scanner/redis/file_upload.md +++ b/documentation/modules/auxiliary/scanner/redis/file_upload.md @@ -22,17 +22,25 @@ Virtual testing environments (inside docker container): ## Options -**FLUSHALL** - -If set to `true`, redis server will remove all redis data before saving. Defaults to `false`. - **DISABLE_RDBCOMPRESSION** If set to `false`, redis server will disable compression before saving. Defaults to `true`. +**FLUSHALL** + +If set to `true`, redis server will remove all redis data before saving. Defaults to `false`. + +**LocalFile** + +Path to the local file to be uploaded. + +**RemoteFile** + +Path, or file name, to store the file as on the Redis server. + ## Scenarios -### Redis:4.0.14 inside a docker container +### Redis: 4.0.14 inside a docker container ``` msf5 auxiliary(scanner/redis/file_upload) > set RHOSTS 172.17.0.2 RHOSTS => 172.17.0.2 @@ -45,4 +53,4 @@ msf5 auxiliary(scanner/redis/file_upload) > run [+] 172.17.0.2:6379 - 172.17.0.2:6379 -- saved 23 bytes inside of redis DB at redis_upload_test.txt [*] 172.17.0.2:6379 - Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed - ``` \ No newline at end of file + ``` diff --git a/documentation/modules/auxiliary/scanner/redis/redis_server.md b/documentation/modules/auxiliary/scanner/redis/redis_server.md index 58c8dc8d5c..49137c87bf 100644 --- a/documentation/modules/auxiliary/scanner/redis/redis_server.md +++ b/documentation/modules/auxiliary/scanner/redis/redis_server.md @@ -28,7 +28,7 @@ Redis commands list can be found [here](https://redis.io/commands). ## Scenarios -### Redis:4.0.14 inside a docker container +### Redis: 4.0.14 inside a docker container ``` msf5 auxiliary(scanner/redis/redis_server) > use auxiliary/scanner/redis/redis_server msf5 auxiliary(scanner/redis/redis_server) > set RHOSTS 172.17.0.3