The 'rm -rf *.*' code in the webshell can delete every file on the targeted device. The backdoor code in the webshell allows an attacker to fetch files from the targeted device and upload them.


The backdoor is enabled through a hardcoded password (BACKDOOR_PASSWD) that can be found at the following path in the code:


a href="http://xxx.com/mgm_dev_upgrade.asp?backdoor=1">

form method="post" action="http://xxx.com/mgm_dev_upgrade.asp?backdoor=1">


input type="hidden" name="backdoor" value="1">

input type="hidden" name="backdoor_passwd" value="BACKDOOR_PASSWD">


Here, 'BACKDOOR_PASSWD' is the hardcoded password. The backdoor code can be found at the following path:


a href="http://xxx.com/mgm_dev_upgrade.asp?backdoor=1">

form method="post" action="http://xxx.com/mgm_dev_upgrade.asp?backdoor=1">

input type="hidden" name="backdoor" value="1">

input type="hidden" name="backdoor_passwd" value="BACKDOOR_

CWE -20

The webshell has an unknown vulnerability that allows the attacker to delete files from the targeted device.

Timeline

Published on: 11/23/2022 02:15:00 UTC
Last modified on: 11/23/2022 20:53:00 UTC

References