CVE-2018-14714 PoC — ASUS RT-AC3200 命令注入漏洞

Source

https://github.com/BreadSquad/TimeInjector

Associated Vulnerability

Title:ASUS RT-AC3200 命令注入漏洞 (CVE-2018-14714)
Description:ASUS RT-AC3200是中国台湾华硕（ASUS）公司的一款无线路由器。 ASUS RT-AC3200 3.0.0.4.382.50010版本中的appGet.cgi文件存在命令注入漏洞。该漏洞源于外部输入数据构造可执行命令过程中，网络系统或产品未正确过滤其中的特殊元素。攻击者可利用该漏洞执行非法命令。

Description

Time injector is a CVE-2018-14714 exploitation script

Readme

# TimeInjector
Time injector is a CVE-2018-14714 exploitation script in bash



To tell if the target is vulnerable, the script works by first checking if the target is accessible and if it can establish a login session.

After that, it checks for the existence of specific pages and performs a time-based injection to see if the system is vulnerable to remote code execution (RCE).

If the system responds slower when executing a command (like sleep 3), it indicates the target may be vulnerable.

This happens because the server is taking more time to process the injected command, and that delay confirms the vulnerability.

The exploit works by sending a specially crafted payload to the target that causes the system to run commands in an unintended manner, typically allowing command execution or information leakage.

The key part of detecting vulnerability is the response time delay, which shows the target is executing commands based on user input, confirming that an RCE vulnerability exists.

File Snapshot


 [4.0K]  /data/pocs/0442865ed54415cc812272e49c265e58a0e2c2b1
├── [1004]  README.md
└── [6.7K]  TimeInjector.sh

0 directories, 2 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!