====== Server related ====== Note: This research was done on a HDR-AS15 but due to the similarities in features and other parts of firmware i believe it will be relevant for the NEX-5R and NEX-6 The camera provides Web servers in 2 modes. * Viewfinder Mode * Send Mode ===== Viewfinder Mode ===== The Web server in the Viewfinder mode runs on port 10000 ''http://10.0.0.1:10000/'' It is mainly controlled by POST and GET of json but also provides a javascript file called orb-client.min.js Due to it providing this file it is possible to use '../' for Web Server Directory Traversal Arbitrary File Access ''http://10.0.0.1:10000/sony/../../../../'' is the root of the filesystem Note: Due to the file always being provided as text/plain it is not possible to read binary files that contain 0x00 bytes, If you try to read a ELF binary you will only receive 7 bytes which are the header of the elf file before a NULL byte. It is possible to test for files/folders/symlinks that exist as they will return a empty response, if the file does not exist a json 404 error will be returned. ==== Filesystem ==== From using this i have found the following filesystem features / bin/ busybox etc/ dhcpd.conf lib/ log/ root/ sbin/ tmp/ usr/ bin sbin var/ version.txt dhcpd.conf is the default configuration file provided with isc dhcpd. ===== Send Mode ===== There are 2 Webservers in the "Send" mode which are on ports 64321 and 60152 I have been so far unable to use these webservers to any use, However 60152 is used to provide the upnp/dlna xml files 64321 is used to send the thumbnails and video files that are copied from the camera using the playmemories application. I have uploaded a {{hdr-as15_-_send.tar.gz|pcap}} dump readable in wireshark if anyone is interested in pursuing this further