0xf4n9x/CVE-2022-24990

CVE-2022-24990 TerraMaster TOS unauthenticated RCE via PHP Object Instantiation

CVE-2022-24990

CVE-2022-24990 TerraMaster TOS unauthenticated RCE via PHP Object Instantiation

Usage

Vulnerability Detection.

python CVE-2022-24990.py -u http://127.0.0.1:8080

Upload a PHP webshell.

python CVE-2022-24990.py -a http://127.0.0.1:8080

Reference

• https://octagon.net/blog/2022/03/07/cve-2022-24990-terrmaster-tos-unauthenticated-remote-command-execution-via-php-object-instantiation/

• http://wiki.peiqi.tech/wiki/webapp/TerraMaster/TerraMaster%20TOS%20createRaid%20%E8%BF%9C%E7%A8%8B%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E%20CVE-2022-24990.html