CVE-2019-13372 PoC — D-Link Central WiFi Manager CWM-100 代码注入漏洞

Source

https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2019/CVE-2019-13372.yaml

Associated Vulnerability

Title:D-Link Central WiFi Manager CWM-100 代码注入漏洞 (CVE-2019-13372)
Description:D-Link Central WiFi Manager CWM-100是中国台湾友讯（D-Link）公司的一款基于Web的无线接入点管理工具。 D-Link Central WiFi Manager CWM-100 1.03R0100_BETA6之前版本中的/web/Lib/Action/IndexAction.class.php文件存在代码注入漏洞。该漏洞源于外部输入数据构造代码段的过程中，网络系统或产品未正确过滤其中的特殊元素。攻击者可利用该漏洞生成非法的代码段，修改网络系统或组件的预期的执行控制流。

Description

/web/Lib/Action/IndexAction.class.php in D-Link Central WiFi Manager CWM(100) before v1.03R0100_BETA6 allows remote attackers to execute arbitrary PHP code via a cookie because a cookie's username field allows eval injection, and an empty password bypasses authentication.

File Snapshot


 id: CVE-2019-13372

info:
  name: D-Link Central WiFi Manager CWM(100) - Remote Code Execution
  aut

...

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!