Website:

We are first greeted with a login page, where we test for SQLI authentication bypass (’or 1=1 — -), as well as some basic credentials such as admin:admin. These are unsuccessful.

It is noticed we can create an account at /register, so we do so, then login.

Once logged in, we see a list of firmwares, with some details about each one, as well as a button to report issues:

When reporting an issue, we are greeted with the following page:

We then submit, and after a short while get a popup suggesting that our issue was successfully reported.

There appears to be no other functionality available to the user.

Source Code:

Analysing the routes.py file shows a few routes which we previously were not aware of:

• /api/firmware/list - fetches a list of all firmware
• /api/firmware/report - is the endpoint which reports are POSTed to.
• /api/firmware/upload - is an endpoint protected by the decorator @is_admin, meaning the user must be an admin in order to POST to this.

Firmware uploading is interesting. The code can be seen below.

@api.route('/firmware/upload', methods=['POST'])
@login_required
@is_admin
def firmware_update():
    if 'file' not in request.files:
        return response('Missing required parameters!'), 401

    extraction = extract_firmware(request.files['file'])
    if extraction:
        return response('Firmware update initialized successfully.')

    return response('Something went wrong, please try again!'), 403