.. / CVE-2019-18371

Exploit for Xiaomi Mi WiFi R3G Routers - Local file Inclusion (CVE-2019-18371)

Description:

Xiaomi Mi WiFi R3G devices before 2.28.23-stable are susceptible to local file inclusion vulnerabilities via a misconfigured NGINX alias, as demonstrated by api-third-party/download/extdisks../etc/config/account. With this vulnerability, the attacker can bypass authentication.

Nuclei Template

View the template here CVE-2019-18371.yaml

Validate with Nuclei

echo "$URL" | nuclei -t ~/nuclei-templates/http/cves/2019/CVE-2019-18371.yaml

References:

https://github.com/password520/Penetration_PoC
https://github.com/UltramanGaia/Xiaomi_Mi_WiFi_R3G_Vulnerability_POC/blob/master/arbitrary_file_read_vulnerability.py
https://ultramangaia.github.io/blog/2019/Xiaomi-Series-Router-Command-Execution-Vulnerability.html
https://github.com/UltramanGaia/Xiaomi_Mi_WiFi_R3G_Vulnerability_POC
https://nvd.nist.gov/vuln/detail/CVE-2019-18371

.. / CVE-2019-18371 if(localStorage["style"]=="true"){ document.getElementById('pagestyle').setAttribute('href','/assets/styleDark.css'); document.querySelector('input[type="checkbox"]').checked = true }

Exploit for Xiaomi Mi WiFi R3G Routers - Local file Inclusion (CVE-2019-18371)

Description:

Nuclei Template

Validate with Nuclei

.. / CVE-2019-18371