|
|
|
|
|
|
by rstuart4133
572 days ago
|
|
|
It's also wrong. If the C code presented is accurate the URL would have to contain &name=%22;shell-command-to-run;%22, or perhaps &name=$(shell-command-to-run). name=%27;shell-command-to-run%27 is mostly harmless. That's nit-picky I know, but when some dude on the internet is trying to get clicks via manufactured rage at incompetent programmers, it's kinda ironic his code is buggy too. |
|
|
https://netsecfish.notion.site/Command-Injection-Vulnerabili...
> The vulnerability is localized to the account_mgr.cgi script, particularly in the handling of the cgi_user_add command. The name parameter in this script does not adequately sanitize input, allowing for command execution.
> /cgi-bin/account_mgr.cgi?cmd=cgi_user_add&name=%27;<INJECTED_SHELL_COMMAND>;%27
I know, I know, that would mean the exact command run, based on the reversed code shown on screen at https://youtu.be/-vpGswuYVg8?t=656 would be
which would be harmless, so clearly if the PoC says %27 then the real format string must be more like "adduser -u '%s' ...". Maybe the Youtuber reversed the wrong firmware. But nonetheless, the point is gotten across.