Seagate NAS OS 188.8.131.52 SQL Injection Vulnerability
SQL injection in folderViewSpecific.psp in Seagate NAS OS version 184.108.40.206 allows attackers to execute arbitrary SQL commands via the dirId URL parameter.
The information has been provided by Ian Sindermann.
The original article can be found at: https://blog.securityevaluators.com/invading-your-personal-cloud-ise-labs-exploits-the-seagate-stcr3000101-ecf89de2170
This device includes “Seagate Media Service”, which allows users to connect to the device via the “Seagate Media App”. During our study, we determined that this application uses dynamic SQL queries and fails to sanitize user input. As a result, this application is vulnerable to SQL injection attacks. The parameter dirId at endpoint /folderViewSpecific.psp was used to confirm this issue, but other vulnerable endpoints and parameters may exist. An attacker may execute SQL injection attacks via the following steps:
Locate a vulnerable injection point. Due to this application lacking any form of authentication, this may be achieved by simply browsing the application and testing endpoints. For this example, we will use the dirId parameter at /folderViewSpecific.psp.
Inject malicious SQL payloads into the request. Tools such as sqlmap may be used to automate this process. The payload shown below was used during our research.
’qzzbq’,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL — +-&start=0&count=100&ordered=ASC&orderby=name&url=/static/Data/
Once a successful injection point has been located, arbitrary SQL statements may be executed.
- Seagate Nas OS 220.127.116.11