Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2021-28149 PoC — Hongdian H8922 路径遍历漏洞

Source
https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2021/CVE-2021-28149.yaml
Associated Vulnerability
Title:Hongdian H8922 路径遍历漏洞 (CVE-2021-28149)
Description:Hongdian H8922是中国Hongdian公司的一个路由器。 Hongdian H8922 3.0.5 devices存在路径遍历漏洞。该漏洞允许远程攻击者以最小的权限从设备下载任何文件。
Description
Hongdian H8922 3.0.5 devices are vulnerable to local file inclusion. The /log_download.cgi log export handler does not validate user input and allows a remote attacker with minimal privileges to download any file from the device by substituting ../ (e.g., ../../etc/passwd) This can be carried out with a web browser by changing the file name accordingly. Upon visiting log_download.cgi?type=../../etc/passwd and logging in, the web server will allow a download of the contents of the /etc/passwd file.
File Snapshot

 id: CVE-2021-28149

info:
  name: Hongdian H8922 3.0.5 Devices - Local File Inclusion
  author: gy74

...
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.