crash.software
Projects
Pull Requests
Issues
Builds
rax30-sqlinj
Code
Files
Commits
Branches
Tags
Pull Requests
Code Comments
Code Compare
Issues
Builds
Statistics
Child Projects
cra.sh
RESTful API
Projects STRLCPY rax30-sqlinj Files
🤬
master
ROOT /
Enable build support by adding .buildspec.yml
README.md Loading last commit info...
ex.py
README.md

NETGEAR Nighthawk WiFi6 Router (RAX30 AX2400) LAN Side Exploit

How to reproduce

Run Python3 exploit code

$ python3 ex.py [Target IP Address]

Details

minidlnad is running on TCP port 8200. This daemon contains a SQL injection vulnerability while processing X_SetBookmark.

...
    if ( sub_191D8(
           dword_57B50,
           "INSERT OR REPLACE into BOOKMARKS VALUES ((select DETAIL_ID from OBJECTS where OBJECT_ID = '%q'), %q)",
           v2,
           v3) )
...

Using SQL injection, we can execute arbitrary SQL queries, including ATTACH DATABASE statement. We can create database whose file extension is php and content has php web shell code.

Credit

  • Zachary Cutlip (@zcutlip): Original discovery
  • Insu Yun, Seunghyun Kim, Gyeongwon Kim: Exploit writing
Please wait...
Page is in error, reload to recover