Share
## https://sploitus.com/exploit?id=4BA8E6B0-7213-57EF-BA0C-6B9DF4F52741
### CVE-2022-46649

PoC exploit for CVE-2022-46649, a command injection vulnerability in the /cgi-bin/iplogging.cgi endpoint.

The vulnerability allows authenticated attackers to execute arbitrary OS commands via crafted tcpdumpParams.

---

#### Overview

- Vulnerability: OS Command Injection
- Endpoint: /admin/tools/iplogging.cgi
- Vector: tcpdumpParams parameter
- Auth Required: Yes
- Impact: Remote command execution

---

#### How It Works

- Authenticate via /xml/Connect.xml
- Maintain session using cookies
- Send malicious payload to iplogging.cgi
- Inject command via -z option in tcpdumpParams

---

#### Usage

```
python3 exploit.py     
```

Example
```
python3 exploit.py 192.168.13.1 9443 admin admin "reboot"
```

---

#### Notes

- SSL verification is disabled (verify=False)
- Target must be reachable over HTTPS
- Valid credentials are required