It's also wrong. If the C code presented is accurate the URL would have to contain &name=%22;shell-command-to-run;%22, or perhaps &name=$(shell-command-to-run). name=%27;shell-command-to-run%27 is mostly harmless.
That's nit-picky I know, but when some dude on the internet is trying to get clicks via manufactured rage at incompetent programmers, it's kinda ironic his code is buggy too.
> The vulnerability is localized to the account_mgr.cgi script, particularly in the handling of the cgi_user_add command. The name parameter in this script does not adequately sanitize input, allowing for command execution.
which would be harmless, so clearly if the PoC says %27 then the real format string must be more like "adduser -u '%s' ...". Maybe the Youtuber reversed the wrong firmware. But nonetheless, the point is gotten across.
That's nit-picky I know, but when some dude on the internet is trying to get clicks via manufactured rage at incompetent programmers, it's kinda ironic his code is buggy too.