Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2021-41282 PoC — pfSense 注入漏洞

Source
https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2021/CVE-2021-41282.yaml
Associated Vulnerability
Title:pfSense 注入漏洞 (CVE-2021-41282)
Description:pfSense是一套基于FreeBSD Linux的网络防火墙。 pfSense 存在注入漏洞,攻击者可利用该漏洞通过diag_routes.php来运行代码。
Description
diag_routes.php in pfSense 2.5.2 allows sed data injection. Authenticated users are intended to be able to view data about the routes set in the firewall. The data is retrieved by executing the netstat utility, and then its output is parsed via the sed utility. Although the common protection mechanisms against command injection (e.g., the usage of the escapeshellarg function for the arguments) are used, it is still possible to inject sed-specific code and write an arbitrary file in an arbitrary location.
File Snapshot

 id: CVE-2021-41282

info:
  name: pfSense - Arbitrary File Write
  author: cckuailong
  severity: hi

...
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.