关联漏洞
标题:
ASUS RT-AC3200 命令注入漏洞
(CVE-2018-14714)
描述:ASUS RT-AC3200是中国台湾华硕(ASUS)公司的一款无线路由器。 ASUS RT-AC3200 3.0.0.4.382.50010版本中的appGet.cgi文件存在命令注入漏洞。该漏洞源于外部输入数据构造可执行命令过程中,网络系统或产品未正确过滤其中的特殊元素。攻击者可利用该漏洞执行非法命令。
描述
Time injector is a CVE-2018-14714 exploitation script
介绍
# TimeInjector
Time injector is a CVE-2018-14714 exploitation script in bash
To tell if the target is vulnerable, the script works by first checking if the target is accessible and if it can establish a login session.
After that, it checks for the existence of specific pages and performs a time-based injection to see if the system is vulnerable to remote code execution (RCE).
If the system responds slower when executing a command (like sleep 3), it indicates the target may be vulnerable.
This happens because the server is taking more time to process the injected command, and that delay confirms the vulnerability.
The exploit works by sending a specially crafted payload to the target that causes the system to run commands in an unintended manner, typically allowing command execution or information leakage.
The key part of detecting vulnerability is the response time delay, which shows the target is executing commands based on user input, confirming that an RCE vulnerability exists.
文件快照
[4.0K] /data/pocs/ff7b3d4fb77e736e90fcf04d7bfb56a688191484
├── [1004] README.md
└── [7.1K] TimeInjector.sh
0 directories, 2 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。