I am trying to do a sales demonstration regarding DVR systems and one of the things that is very common about all DVR systems is that they use the exact same login methods as routers do, Netgear, Linksys, etc which is simply CGI scripts. So it would be:
If I try to get into a page without logging in get a blank page, no code. When I hit a wrong username it just refreshes. What I have been told is that CGI isn’t all that difficult to break so I am trying to find a way or any resource of how to bypass the login and manipulate the cameras so I can show this to the customer. Can anyone help? I been checking google but haven’t found anything.
All I know is that they are running BOA 0.94.14rc21 webserver.
I am trying to gain access to the .cgi scripts that control the DVR bypassing the login, so essentially where it says login I can bypass it somehow or at least alter the CGI files somehow without having login credentials or a way for me to figure out the user and password.
well no, i wouldn’t be trying to sell the same system while at the same time trying to demonstrate its lack of security, that be nonsensical. I am trying to show the insecurity of a rival system, we have a different login method.
For what it’s worth, the code you provided doesn’t show anything except a form. It doesn’t illustrate anything except that you enter a password and click a button that fires the JS function “auto_submit()”.
Not that I think it’ll help, but what is the code of that JS function?