2021-03-27 21:22:33 +00:00
|
|
|
id: CVE-2017-17562
|
|
|
|
|
|
|
|
info:
|
|
|
|
name: Embedthis GoAhead RCE
|
|
|
|
description: Embedthis GoAhead before 3.6.5 allows remote code execution if CGI is enabled and a CGI program is dynamically linked.
|
|
|
|
author: geeknik
|
2021-08-18 11:37:49 +00:00
|
|
|
reference:
|
2021-03-27 21:22:33 +00:00
|
|
|
- https://www.elttam.com/blog/goahead/
|
|
|
|
- https://github.com/ivanitlearning/CVE-2017-17562
|
2021-04-01 07:58:30 +00:00
|
|
|
- https://github.com/vulhub/vulhub/tree/master/goahead/CVE-2017-17562
|
2021-03-27 21:22:33 +00:00
|
|
|
severity: high
|
2021-04-01 07:58:30 +00:00
|
|
|
tags: cve,cve2017,rce,embedthis,goahead,fuzz
|
2021-09-10 11:26:40 +00:00
|
|
|
classification:
|
|
|
|
cvss-metrics: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
|
|
|
|
cvss-score: 8.10
|
|
|
|
cve-id: CVE-2017-17562
|
|
|
|
cwe-id: CWE-20
|
2021-03-27 21:22:33 +00:00
|
|
|
|
|
|
|
requests:
|
2021-08-22 18:09:33 +00:00
|
|
|
- raw:
|
|
|
|
- |
|
2021-09-08 12:17:19 +00:00
|
|
|
GET /cgi-bin/{{endpoint}}?LD_DEBUG=help HTTP/1.1
|
2021-08-22 18:09:33 +00:00
|
|
|
Host: {{Hostname}}
|
|
|
|
Accept: */*
|
|
|
|
|
|
|
|
payloads:
|
2021-03-27 21:22:33 +00:00
|
|
|
endpoint:
|
|
|
|
- admin
|
|
|
|
- apply
|
|
|
|
- non-CA-rev
|
|
|
|
- cgitest
|
|
|
|
- checkCookie
|
|
|
|
- check_user
|
|
|
|
- chn/liveView
|
|
|
|
- cht/liveView
|
|
|
|
- cnswebserver
|
|
|
|
- config
|
|
|
|
- configure/set_link_neg
|
|
|
|
- configure/swports_adjust
|
|
|
|
- eng/liveView
|
|
|
|
- firmware
|
|
|
|
- getCheckCode
|
|
|
|
- get_status
|
|
|
|
- getmac
|
|
|
|
- getparam
|
|
|
|
- guest/Login
|
|
|
|
- home
|
|
|
|
- htmlmgr
|
|
|
|
- index
|
|
|
|
- index/login
|
|
|
|
- jscript
|
|
|
|
- kvm
|
|
|
|
- liveView
|
|
|
|
- login
|
|
|
|
- login.asp
|
|
|
|
- login/login
|
|
|
|
- login/login-page
|
|
|
|
- login_mgr
|
|
|
|
- luci
|
|
|
|
- main
|
|
|
|
- main-cgi
|
|
|
|
- manage/login
|
|
|
|
- menu
|
|
|
|
- mlogin
|
|
|
|
- netbinary
|
|
|
|
- nobody/Captcha
|
|
|
|
- nobody/VerifyCode
|
|
|
|
- normal_userLogin
|
|
|
|
- otgw
|
|
|
|
- page
|
|
|
|
- rulectl
|
|
|
|
- service
|
|
|
|
- set_new_config
|
|
|
|
- sl_webviewer
|
|
|
|
- ssi
|
|
|
|
- status
|
|
|
|
- sysconf
|
|
|
|
- systemutil
|
|
|
|
- t/out
|
|
|
|
- top
|
|
|
|
- unauth
|
|
|
|
- upload
|
|
|
|
- variable
|
|
|
|
- wanstatu
|
|
|
|
- webcm
|
|
|
|
- webmain
|
|
|
|
- webproc
|
|
|
|
- webscr
|
|
|
|
- webviewLogin
|
|
|
|
- webviewLogin_m64
|
|
|
|
- webviewer
|
|
|
|
- welcome
|
|
|
|
|
2021-04-01 07:58:30 +00:00
|
|
|
attack: sniper
|
2021-09-02 11:59:10 +00:00
|
|
|
stop-at-first-match: true
|
2021-03-27 21:22:33 +00:00
|
|
|
matchers-condition: and
|
|
|
|
matchers:
|
|
|
|
- type: status
|
|
|
|
status:
|
|
|
|
- 200
|
|
|
|
- type: word
|
|
|
|
words:
|
2021-03-29 20:04:26 +00:00
|
|
|
- "environment variable"
|
|
|
|
- "display library search paths"
|
|
|
|
condition: and
|