Redis SSRF

It used to be that if you could make requests to Redis through SSRF, you were able to get RCE. However, because Redis is aware that this is a big issue, they will terminate the connection when they come across a line starting with POST or Host:.

So you need to somehow get text into Redis before the Host: line comes. One way to accomplish this is to use a CRLF injection. This might not work for HTTP SSRFs, but if you can use the git:// protocol, for example, then it might work.

Example payload can be found here:

Command Injection vulnerability on system_hook_push queue through web hook (#41293) · Issues · GitLab.org / GitLab FOSS · GitLabGitLab