Note: This research was done on a HDR-AS15 but due to the similarities in features and other parts of firmware i believe it will be relevant for the NEX-5R and NEX-6
The camera provides Web servers in 2 modes.
The Web server in the Viewfinder mode runs on port 10000
It is mainly controlled by POST and GET of json but also provides a javascript file called orb-client.min.js Due to it providing this file it is possible to use '../' for Web Server Directory Traversal Arbitrary File Access
http://10.0.0.1:10000/sony/../../../../ is the root of the filesystem
Note: Due to the file always being provided as text/plain it is not possible to read binary files that contain 0x00 bytes, If you try to read a ELF binary you will only receive 7 bytes which are the header of the elf file before a NULL byte.
It is possible to test for files/folders/symlinks that exist as they will return a empty response, if the file does not exist a json 404 error will be returned.
From using this i have found the following filesystem features
/
bin/
busybox
etc/
dhcpd.conf
lib/
log/
root/
sbin/
tmp/
usr/
bin
sbin
var/
version.txt
dhcpd.conf is the default configuration file provided with isc dhcpd.
There are 2 Webservers in the “Send” mode which are on ports 64321 and 60152
I have been so far unable to use these webservers to any use, However
60152 is used to provide the upnp/dlna xml files 64321 is used to send the thumbnails and video files that are copied from the camera using the playmemories application.
I have uploaded a pcap dump readable in wireshark if anyone is interested in pursuing this further