AMTT Hotel Broadband Operation System Command Injection Vulnerability

A critical command injection vulnerability has been identified in AMTT Hotel Broadband Operation System version 1.0. The issue arises in the file '/manager/system/nlog_down.php', where the 'ProtocolType' parameter can be manipulated to execute arbitrary commands on the server. This vulnerability can be exploited remotely, and the executed commands do not produce output, requiring the use of a file to capture the results. The vendor has been notified but did not respond.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the server where the application is running.

Reproduction

To reproduce this vulnerability, send a POST request to '/manager/system/nlog_down.php' with the 'ProtocolType' parameter set to a crafted value that includes a command, such as 'whoami', appended to it. The command execution can be verified by checking the response file '1.txt' in the same directory, which will contain the output of the executed command.