From b418752befc91ae3161ebebb3baac65d2b8b4f0b Mon Sep 17 00:00:00 2001
From: xiaoheihei1107 <62200676+xiaoheihei1107@users.noreply.github.com>
Date: Sat, 14 Aug 2021 18:33:25 +0800
Subject: [PATCH] Add CVE-2021-28149

---
 Hongdian/CVE-2021-28149/README.md | 11 +++++++++++
 1 file changed, 11 insertions(+)
 create mode 100644 Hongdian/CVE-2021-28149/README.md

diff --git a/Hongdian/CVE-2021-28149/README.md b/Hongdian/CVE-2021-28149/README.md
new file mode 100644
index 0000000..e5da208
--- /dev/null
+++ b/Hongdian/CVE-2021-28149/README.md
@@ -0,0 +1,11 @@
+# Hongdian H8922 Arbitrary File Read (CVE-2021-28149)
+
+Hongdian H8922 3.0.5 devices allow Directory Traversal. The /log_download.cgi log export handler does not validate user input and allows a remote attacker with minimal privileges to download any file from the device by substituting ../ (e.g., ../../etc/passwd) This can be carried out with a web browser by changing the file name accordingly. Upon visiting log_download.cgi?type=../../etc/passwd and logging in, the web server will allow a download of the contents of the /etc/passwd file.
+
+FOFA **query rule**: [banner="WWW-Authenticate: Basic realm=" && banner="Server Status"](https://fofa.so/result?qbase64=YmFubmVyPSJXV1ctQXV0aGVudGljYXRlOiBCYXNpYyByZWFsbT0iICYmIGJhbm5lcj0iU2VydmVyIFN0YXR1cyI%3D)
+
+# Demo
+
+
+
+![](Hongdian_H8922_Arbitrary_File_Read_CVE_2021_28149.gif)