> For the complete documentation index, see [llms.txt](https://heinosass.gitbook.io/leet-sheet/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://heinosass.gitbook.io/leet-sheet/web-app-hacking/server-attacks/server-side-request-forgery/redis-ssrf.md).

# Redis SSRF

{% embed url="<https://www.youtube.com/watch?v=LrLJuyAdoAg>" %}

It used to be that if you could make requests to Redis through [SSRF](#undefined), you were able to get RCE. However, because Redis is aware that this is a big issue, they will terminate the connection when they come across a line starting with `POST` or `Host:`.&#x20;

So you need to somehow get text into Redis before the `Host:` line comes. One way to accomplish this is to use a CRLF injection. This might not work for HTTP SSRFs, but if you can use the `git://` protocol, for example, then it might work.

Example payload can be found here:&#x20;

{% embed url="<https://gitlab.com/gitlab-org/gitlab-ce/issues/41293>" %}
