Hello,

I am trying to do a sales demonstration regarding DVR systems and one of the things that is very common about all DVR systems is that they use the exact same login methods as routers do, Netgear, Linksys, etc which is simply CGI scripts. So it would be:

http://url/cgi-bin/record_camera.cgi
http://url/cgi-bin/login_proc.cgi

If I try to get into a page without logging in get a blank page, no code. When I hit a wrong username it just refreshes. What I have been told is that CGI isn't all that difficult to break so I am trying to find a way or any resource of how to bypass the login and manipulate the cameras so I can show this to the customer. Can anyone help? I been checking google but haven't found anything.

All I know is that they are running BOA 0.94.14rc21 webserver.

Their code for logging in:

<td width="110" rowspan="2" align="right"><input type="button" class="btn_login" onclick="auto_submit()" value="LOGIN"></td>
</tr>

<tr>
<td height="22" class="se"><strong>PASSWORD</strong></td>
<td align="center"><input class="i_text01" name="login_pwd" type="password" type="text" size="15" onKeyPress="if(event.keyCode == '13') check_form();"></td>