Rsync tips (penetration technique)

Transferred from 91ri

About rsync

Rsync (Remote synchronize)-the software that implements remote synchronization in Linux can synchronously update files and directories of two computers. When Synchronizing files, you can keep additional information such as the source File Permission, time, and soft and hard links. It is often used to distribute and synchronously update source code on the Intranet, so most developers are using it. The weak security awareness and lack of security skills of developers are the root cause of rsync vulnerabilities.

The default rsync configuration file is/etc/rsyncd. conf: run the rsync-daemon command in resident mode. After the command is successfully started, it listens to TCP port 873 by default. You can use rsync-daemon or SSH for authentication.

Common Operations

List the entire synchronization directory or specified directory:

Rsync 10.0.0.12: rsync 10.0.0.12: www/

12	Rsync 10.0.0.12: rsync 10.0.0.12: www/

Download an object or directory to a local device:

Rsync-avz 10.0.0.12: www/test. php/rootrsync-avz 10.0.0.12: www // var/tmp

12	Rsync-avz 10.0.0.12: www/test. php/rootrsync-avz 10.0.0.12: www // var/tmp

Upload local files to the server:

Rsync-avz webshell. php 10.0.0.12: www/

1	Rsync-avz webshell. php 10.0.0.12: www/

Port Modification

The configuration file does not contain the option to modify the listening port. However, you can specify the option through the-port parameter on the startup command line.

Therefore, you can directly obtain the real listening port through process view.

Port Scanning can also automatically determine the service name and version information.

When connecting to the client, you also need to specify the corresponding port number. Otherwise, the port will be rejected.

Authentication Method

Rsync allows anonymous access by default. You can also add user authentication related items to the synchronization directory in its configuration file, including the authentication file and authorized account. If the authorization account line (auth users) is not included ), anonymous access.

The user authentication file is saved in plain text, but the file permission must be set to 600. Normal users do not have the read permission.

If the permission settings of the authentication file are incorrect, the client user will prompt the authentication failure even if the password is entered correctly.

In addition, rsync also supports the SSH protocol, so you can perform authentication by system users, that is, transfer through the SSH tunnel on rsync, similar to the SCP tool, the synchronization operation is no longer limited to the synchronization folder defined in rsync.

If the ssh port on the server is a non-standard port, you can use the-e parameter of rsync to specify the port.

Local Elevation of Privilege

Because the rsync process is started with the root permission by default, you can also use the feature that rsync maintains the source File Permission during file synchronization on the premise that rsync is anonymous or has a weak password, to improve local permissions.

Add the SUID permission bit to the bash shell locally and upload it to the server through rsync.

If you have the Shell Permission of a common user (webshell uploaded through rsync or other vulnerabilities such as weak passwords), switch to the synchronization directory and check that the permissions of the uploaded shell files remain unchanged. After running the file, you can upgrade it to the root permission.

Automated scripts

The Rsync scan module in metasploit that allows anonymous access: Auxiliary/users/rsync/modules_list

The script rsync-list-modules for rsync synchronization directory listing in NMAP: https://svn.nmap.org/nmap/scripts/rsync-list-modules.nse, which is not widely used.

Another rsync-brute script for brute force rsync password cracking: https://svn.nmap.org/nmap/scripts/rsync-brute.nse.

91ri.org ..

Rssh 2.3.3-3 does not properly filter the-e option when using rsync, which can cause remote attackers to exploit this vulnerability to execute arbitrary commands.

Attack statement:

Rsync-E./script. Sh localhost:/tmp -- server ./

1	Rsync-E./script. Sh localhost:/tmp -- server ./

[[Email protected] STD brothers]

Rsync tips (penetration technique)