# Sapido多款路由器命令执行漏洞

### 漏洞描述 <a href="#lou-dong-miao-shu" id="lou-dong-miao-shu"></a>

Sapido多款路由器在未授权的情况下，导致任意访问者可以以Root权限执行命令

### 漏洞影响 <a href="#lou-dong-ying-xiang" id="lou-dong-ying-xiang"></a>

&#x20;Note

BR270n-v2.1.03

BRC76n-v2.1.03

GR297-v2.1.3

RB1732-v2.0.43

### FOFA <a href="#fofa" id="fofa"></a>

&#x20;Note

app="Sapido-路由器"

### 漏洞复现 <a href="#lou-dong-fu-xian" id="lou-dong-fu-xian"></a>

固件中存在一个asp文件为 **syscmd.asp** 存在命令执行

![](https://4279400230-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MgxNkYa2vR6HNnHdkjg%2F-Mhr29TNgN3F9wtPQQQU%2F-Mhr2g3-L3zJFkm-Zud-%2Fimage.png?alt=media\&token=1b70e518-47de-498f-a4e8-f01fae30a459)

访问目标:

```
http://xxx.xxx.xxx.xxx/syscmd.asp
http://xxx.xxx.xxx.xxx/syscmd.htm
```

![](https://4279400230-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MgxNkYa2vR6HNnHdkjg%2F-Mhr29TNgN3F9wtPQQQU%2F-Mhr2kF-pnWCB0ZLt9kD%2Fimage.png?alt=media\&token=a3407a37-af8a-4a11-8374-357566f783b6)

直接输入就可以命令执行了