Vendor of the products: [Adslr](https://wlfw.zepc.edu.cn/...)
Vendor’s website: http://www.adslr.com/
Reported by: Zhuang Haoran (1851805232@163.com)
Affected models and versions :
B-QE2W401(version≤250814-r037c)
Firmware download address:
http://www.adslr.com/companyfile/2/
This vulnerability originates from send_order.cgi, where the CGI-ELF retrieves parameters from requests and concatenates them into commands using the sprintf function without any filtering, allowing remote attackers to execute arbitrary commands without authorization through command separators.
when url contain send_order ,use sub_13C14 get parameter ,then send parameter into sub_19A80
use QUERY_STRING compare with the route-table , then call the Specific function
when the parameter is set_mesh_disconnect , call the cmd_handler_79_0
get var:mac from json and when ip exist,concatenate the mac into the parameter s_3