Vendor:http://totolink.net/
Firmware:https://www.totolink.net/home/menu/detail/menu_listtpl/download/id/259/ids/36.html
V2.0.0-B20230727.1043
sub_4594C0 (handle function of formMapDelDevice) of /bin/boa in firmware has command injection vulnerability.
Parameter "macstr" is read from HTTP request into $v0. Parameter "bandstr" is read from HTTP request into $v0_1.
Stack variable var_120 is constructed using sprintf and used as paramter of system() at 0x459570.
When "macstr" or "bandstr" has carefully crafted payload (e.g. ;ls;, `ls`), this would result a command injection vulnerability.
I'm not able to provide full exploit for this vulnerability due to legal reasons.