DB-REDIS-RCEExecution

Redis Unauth → RCE via CONFIG

Authless Redis on 6379 — CONFIG SET dir, dbfilename, then SAVE to write an SSH authorized_key / cron / webshell.

§ Where this technique fits

DB-REDIS-RCE is catalogued under the Execution tactic of the offensive-security kill-chain. It appears in 1 approved dossier in the registry, typically at step 3 on average.

§ Dossiers chaining this technique

SSRF → reach internal Redis → write SSH key → RCE
Web app SSRF lets the attacker hit gopher://redis on the internal network. Inject CONFIG SET dir + dbfilename + SAVE to write an SSH authorized_keys onto the Redis host — log in as the Redis user.
step 3 / 6

§ What commonly comes next

01
Valid Accounts
T1078 · Initial Access
seen 1×

§ Where this technique fits

§ Dossiers chaining this technique

SSRF → reach internal Redis → write SSH key → RCE

§ What commonly comes next