QNAP TS-431 QTS Remote Command Execution
Posted by deepcore on March 8, 2019 – 7:10 pm
This Metasploit module creates a virtual web server and uploads the php payload into it. Admin privileges cannot access any server files except File Station files. The user who is authorized to create Virtual Web Server can upload malicious php file by activating the server. Exploit creates a new directory into File Station to connect to the web server. However, only the “index.php” file is allowed to work in the virtual web server directory. No files can be executed except “index.php”. Gives an access error. After the harmful “index.php” has been uploaded, the shell can be retrieved from the server. There is also the possibility of working in higher versions. Affects versions prior to 4.2.2.
Post a reply
You must be logged in to post a comment.