The 'rm -rf *.*' code in the webshell can delete every file on the targeted device. The backdoor code in the webshell allows an attacker to fetch files from the targeted device and upload them.
The backdoor is enabled through a hardcoded password (BACKDOOR_PASSWD) that can be found at the following path in the code:
a href="http://xxx.com/mgm_dev_upgrade.asp?backdoor=1">
form method="post" action="http://xxx.com/mgm_dev_upgrade.asp?backdoor=1">
input type="hidden" name="backdoor" value="1">
input type="hidden" name="backdoor_passwd" value="BACKDOOR_PASSWD">
Here, 'BACKDOOR_PASSWD' is the hardcoded password. The backdoor code can be found at the following path:
a href="http://xxx.com/mgm_dev_upgrade.asp?backdoor=1">
form method="post" action="http://xxx.com/mgm_dev_upgrade.asp?backdoor=1">
input type="hidden" name="backdoor" value="1">
input type="hidden" name="backdoor_passwd" value="BACKDOOR_
CWE -20
The webshell has an unknown vulnerability that allows the attacker to delete files from the targeted device.
Timeline
Published on: 11/23/2022 02:15:00 UTC
Last modified on: 11/23/2022 20:53:00 UTC