The process of finding command injectable pages within an embedded web application is rather trivial. The first places within an application we want to examine are diagnostic pages that make use of system commands, such as ping or traceroute, but also configuration setting pages for daemons, such as SMB, PPTP, or FTP. If we have acquired firmware or gained access to a target device's console, it's always best to statically analyze vulnerable scripts and functions that the device executes and validate potential findings discovered via dynamic analysis:
- Let's have a look at our target IP camera's configuration menu settings to pinpoint a potentially vulnerable page:
- There are not many pages to choose from, but we do see ...