qwqdanchun
/
Goby
mirror of https://github.com/qwqdanchun/Goby.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
Goby/json/RaspAP-Operating-System-Com...

149 lines
6.1 KiB
JSON
Raw Normal View History

auto
2022-11-25 02:08:58 -08:00
{
"Name": "RaspAP Operating System Command Injection Vulnerability (CVE-2021-33357)",
"Description": "<p>RaspAP is an application software for simple wireless AP setup and management for Debian based devices</p><p>There is an operating system command injection vulnerability in RaspAP, which stems from improper filtering of special characters such as \";\" in the \"iface\" parameter in RaspAP versions 2.6 to 2.6.5. An attacker can use this vulnerability to execute arbitrary operating system commands.</p>",
"Product": "RaspAP",
"Homepage": "https://raspap.com",
"DisclosureDate": "2021-06-09",
"Author": "NULL2049",
"FofaQuery": "header=\"RaspAP\"|| banner=\"RaspAP\"",
"GobyQuery": "header=\"RaspAP\"|| banner=\"RaspAP\"",
"Level": "3",
"Impact": "<p><span style=\"color: rgb(22, 51, 102); font-size: 16px;\">There is an operating system command injection vulnerability in RaspAP, which stems from improper filtering of special characters such as \";\" in the \"iface\" parameter in RaspAP versions 2.6 to 2.6.5. An attacker can use this vulnerability to execute arbitrary operating system commands.</span><br></p>",
"Recommendation": "<p>At present, the manufacturer has not released fixes to solve this security problem. It is recommended that users of this software pay attention to the manufacturer's homepage or reference website at any time to obtain solutions:</p><p><a href=\"http://www.example.com\" target=\"_blank\">https://gist.github.com/omriinbar/52c000c02a6992c6ce68d531195f69cf</a></p>",
"References": [
"https://nvd.nist.gov/vuln/detail/CVE-2021-33357"
],
"Is0day": false,
"HasExp": true,
"ExpParams": [
{
"name": "AttackType",
"type": "select",
"value": "goby_shell_linux",
"show": ""
}
],
"ExpTips": {
"Type": "",
"Content": ""
},
"ScanSteps": [
"AND",
{
"Request": {
"method": "GET",
"uri": "/test.php",
"follow_redirect": true,
"header": {},
"data_type": "text",
"data": ""
},
"ResponseTest": {
"type": "group",
"operation": "AND",
"checks": [
{
"type": "item",
"variable": "$code",
"operation": "==",
"value": "200",
"bz": ""
},
{
"type": "item",
"variable": "$body",
"operation": "contains",
"value": "test",
"bz": ""
}
]
},
"SetVariable": []
}
],
"ExploitSteps": [
"AND",
{
"Request": {
"method": "GET",
"uri": "/test.php",
"follow_redirect": true,
"header": {},
"data_type": "text",
"data": ""
},
"ResponseTest": {
"type": "group",
"operation": "AND",
"checks": [
{
"type": "item",
"variable": "$code",
"operation": "==",
"value": "200",
"bz": ""
},
{
"type": "item",
"variable": "$body",
"operation": "contains",
"value": "test",
"bz": ""
}
]
},
"SetVariable": []
}
],
"Tags": [
"Command Execution"
],
"VulType": [
"Command Execution"
],
"CVEIDs": [
"CVE-2021-33357"
],
"CNNVD": [
"CNNVD-202106-747"
],
"CNVD": [
"CNVD-2021-94940"
],
"CVSSScore": "9.8",
"Translation": {
"CN": {
"Name": "RaspAP 操作系统命令注入漏洞CVE-2021-33357",
"Product": "RaspAP",
"Description": "<p>RaspAP是应用软件基于 Debian 的设备的简单无线 AP 设置和管理</p><p>RaspAP存在操作系统命令注入漏洞该漏洞源于在RaspAP 2.6版本到2.6.5版本中未正确过滤“iface”参数中的“;”等特殊字符。攻击者利用该漏洞就可以执行任意的操作系统命令。</p>",
"Recommendation": "<p>目前厂商暂未发布修复措施解决此安全问题,建议使用此软件的用户随时关注厂商主页或参考网址以获取解决办法:</p><p><a target=\"_Blank\" href=\"https://gist.github.com/omriinbar/52c000c02a6992c6ce68d531195f69cf\">https://gist.github.com/omriinbar/52c000c02a6992c6ce68d531195f69cf</a></p>",
"Impact": "<p>RaspAP存在操作系统命令注入漏洞该漏洞源于在RaspAP 2.6版本到2.6.5版本中未正确过滤“iface”参数中的“;”等特殊字符。攻击者利用该漏洞就可以执行任意的操作系统命令。<br></p>",
"VulType": [
"命令执⾏"
],
"Tags": [
"命令执⾏"
]
},
"EN": {
"Name": "RaspAP Operating System Command Injection Vulnerability (CVE-2021-33357)",
"Product": "RaspAP",
"Description": "<p>RaspAP is an application software for simple wireless AP setup and management for Debian based devices</p><p>There is an operating system command injection vulnerability in RaspAP, which stems from improper filtering of special characters such as \";\" in the \"iface\" parameter in RaspAP versions 2.6 to 2.6.5. An attacker can use this vulnerability to execute arbitrary operating system commands.</p>",
"Recommendation": "<p>At present, the manufacturer has not released fixes to solve this security problem. It is recommended that users of this software pay attention to the manufacturer's homepage or reference website at any time to obtain solutions:</p><p><a href=\"http://www.example.com\" target=\"_blank\">https://gist.github.com/omriinbar/52c000c02a6992c6ce68d531195f69cf</a></p>",
"Impact": "<p><span style=\"color: rgb(22, 51, 102); font-size: 16px;\">There is an operating system command injection vulnerability in RaspAP, which stems from improper filtering of special characters such as \";\" in the \"iface\" parameter in RaspAP versions 2.6 to 2.6.5. An attacker can use this vulnerability to execute arbitrary operating system commands.</span><br></p>",
"VulType": [
"Command Execution"
],
"Tags": [
"Command Execution"
]
}
},
"AttackSurfaces": {
"Application": null,
"Support": null,
"Service": null,
"System": null,
"Hardware": null
}
}