[漏洞复现] Sapido RB-1732命令注入漏洞

<html><! Copyright (c) Realtek Semiconductor Corp., 2003. All Rights Reserved. -><head><meta http-equiv="Content-Type" content="text/html"><title>System Command</title><script>function saveClick(){        field = document.formSysCmd.sysCmd ;        if(field.value.indexOf("ping")==0 && field.value.indexOf("-c") < 0){                alert('please add "-c num" to ping command');                return false;        }        if(field.value == ""){                alert("Command can't be empty");                field.value = field.defaultValue;                field.focus();                return false ;        }        return true;}</script></head>
<body><blockquote><h2><font color="#0000FF">System Command</font></h2>

<form action=/goform/formSysCmd method=POST name="formSysCmd"><table border=0 width="500" cellspacing=0 cellpadding=0>  <tr><font size=2> This page can be used to run target system command.  </tr>  <tr><hr size=1 noshade align=top></tr>  <tr>    <td>System Command: </td>  <td><input type="text" name="sysCmd" value="" size="20" maxlength="50"></td>  <td> <input type="submit" value="Apply" name="apply" onClick='return saveClick()'></td>
  </tr></table>  <input type="hidden" value="/syscmd.asp" name="submit-url"></form>  <script language="JavaScript"></script>
  <textarea rows="15" name="msg" cols="80" wrap="virtual"><% sysCmdLog(); %></textarea>
  <p>  <input type="button" value="Refresh" name="refresh" onClick="javascript: window.location.reload()">  <input type="button" value="Close" name="close" onClick="javascript: window.close()"></p></blockquote></font></body>
</html>

void formSysCmd(int param_1){  char cVar1;  char *pcVar2;  char *pcVar3;  char *pcVar4;  char *__src;  char *__src_00;  char *pcVar5;  FILE *pFVar6;  int __fd;  int iVar7;  code *pcVar8;  char acStack_90 [104];    pcVar2 = (char *)websGetVar(param_1,"submit-url",&DAT_0047f498);  pcVar3 = (char *)websGetVar(param_1,"sysCmd",&DAT_0047f498);  pcVar4 = (char *)websGetVar(param_1,"writeData",&DAT_0047f498);  __src = (char *)websGetVar(param_1,"filename",&DAT_0047f498);  __src_00 = (char *)websGetVar(param_1,"fpath",&DAT_0047f498);  pcVar5 = (char *)websGetVar(param_1,"readfile",&DAT_0047f498);  if (*pcVar3 != '') {    snprintf(acStack_90,100,"%s 2>&1 > %s",pcVar3,"/tmp/syscmd.log");    system(acStack_90);  }  if (*pcVar4 != '') {    strcpy(acStack_90,__src_00);    strcat(acStack_90,__src);    pFVar6 = fopen(acStack_90,"w");    if (pFVar6 == (FILE *)0x0) {      printf("Open %s fail.n",acStack_90);      goto LAB_00463010;    }    iVar7 = 0;    __fd = fileno(pFVar6);    fchmod(__fd,0x1ff);    if (0 < *(int *)(param_1 + 0xf0)) {      do {        pcVar8 = fputc;        if (pFVar6->_chain == (_IO_FILE *)0x0) {          cVar1 = *(char *)(*(int *)(param_1 + 0xcc) + iVar7);LAB_00462ef4:          (*pcVar8)((int)cVar1,pFVar6);        }        else {          pcVar3 = pFVar6->_IO_write_base;          pcVar8 = __fputc_unlocked;          pcVar4 = (char *)(*(int *)(param_1 + 0xcc) + iVar7);          if (pFVar6->_IO_buf_base <= pcVar3) {            cVar1 = *pcVar4;            goto LAB_00462ef4;          }          *pcVar3 = *pcVar4;          pFVar6->_IO_write_base = pcVar3 + 1;        }        iVar7 = iVar7 + 1;      } while (iVar7 < *(int *)(param_1 + 0xf0));    }    fclose(pFVar6);    printf("Write to %sn",acStack_90);    strcpy(&writepath,__src_00);  }  if ((*pcVar5 != '') && (pFVar6 = fopen(__src_00,"r"), pFVar6 != (FILE *)0x0)) {    fclose(pFVar6);    sprintf(acStack_90,"cat %s > /web/obama.dat",__src_00);    system(acStack_90);    usleep(10000);    pcVar2 = "/obama.dat";  }LAB_00463010:  websRedirect(param_1,pcVar2);  return;}

sudo ./run.sh -a Sapido /home/ubuntu/Desktop/RB-1732_TC_v2.0.43.bin