关联漏洞
标题:ASUS RT-AC3200 命令注入漏洞 (CVE-2018-14714)Description:ASUS RT-AC3200是中国台湾华硕(ASUS)公司的一款无线路由器。 ASUS RT-AC3200 3.0.0.4.382.50010版本中的appGet.cgi文件存在命令注入漏洞。该漏洞源于外部输入数据构造可执行命令过程中,网络系统或产品未正确过滤其中的特殊元素。攻击者可利用该漏洞执行非法命令。
Description
Time injector is a CVE-2018-14714 exploitation script
介绍
# TimeInjector
Time injector is a CVE-2018-14714 exploitation script in bash
To tell if the target is vulnerable, the script works by first checking if the target is accessible and if it can establish a login session.
After that, it checks for the existence of specific pages and performs a time-based injection to see if the system is vulnerable to remote code execution (RCE).
If the system responds slower when executing a command (like sleep 3), it indicates the target may be vulnerable.
This happens because the server is taking more time to process the injected command, and that delay confirms the vulnerability.
The exploit works by sending a specially crafted payload to the target that causes the system to run commands in an unintended manner, typically allowing command execution or information leakage.
The key part of detecting vulnerability is the response time delay, which shows the target is executing commands based on user input, confirming that an RCE vulnerability exists.
文件快照
[4.0K] /data/pocs/0442865ed54415cc812272e49c265e58a0e2c2b1
├── [1004] README.md
└── [6.7K] TimeInjector.sh
0 directories, 2 files
备注
1. 建议优先通过来源进行访问。
2. 本地 POC 快照面向订阅用户开放;当原始来源失效或无法访问时,本地镜像作为订阅权益的一部分提供。
3. 持续抓取、验证、维护这份 POC 档案需要不少投入,因此本地快照已纳入付费订阅。您的订阅是让这份资料能继续走下去的关键,由衷感谢。 查看订阅方案 →