Vendor of the products: [Adslr](https://wlfw.zepc.edu.cn/...)
Vendor’s website: http://www.adslr.com/
Reported by: Zhuang Haoran (1851805232@163.com)
Affected models and versions :
B-QE2W401(version≤250814-r037c)
Firmware download address:
http://www.adslr.com/companyfile/2/
This vulnerability originates from send_order.cgi, where the CGI-ELF retrieves parameters from requests and concatenates them into commands using the sprintf function without any filtering, allowing remote attackers to execute arbitrary commands without authorization through command separators.
when url contain send_order ,use sub_13C14 get parameter ,then send parameter into sub_19A80
use QUERY_STRING compare with the route-table , then call the Specific function
when the parameter is del_swifimac , call the cmd_handler_33
get var:del_swifimac from json and concatenate it into the parameter s