You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
@@ -13,13 +13,13 @@ The "Ping" and "Traceroute" functions in the AudioCodes 450HD web UI place user-
### Usage/Exploitation
- First login to the web UI of the device. There is a default administrator user using "admin" as the password and "1234" as the password.
- When making a request to the "Traceroute" function of the web UI, something similar to the following request is made:
- When making a request to the "Traceroute" function of the web UI, something similar to the following request is made:
- By modifying the query string of the URL, it is possible to inject arbitrary commands to run on the operating system. The payload that was confirmed working looked like this:
```
traceroute 127.0.0.1|<YOUR COMMAND>|a #'
```
Here is an example screenshot that runs "ls /" on the operating system.
Here is an example screenshot that runs "ls /" on the operating system.
- The following screenshot shows the output of the previous command, which shows that localhost was tracerouted and then a listing of the "/" folder follows.
- The following screenshot shows the output of the previous command, which shows that localhost was tracerouted and then a listing of the "/" folder follows.
