After entering the above URL, you will see two links, one is goform/Diagnosis and another one is goform/Configuration, click on goform/Configuration and you will see two links, one is goform/Diagnosis and another one is v10, click on v10 and you will see a command injection vulnerability. Sniff the traffic and you can see the following snippet: If you enter /goform/Diagnosis in the browser and press enter, a command injection vulnerability will occur. The reason that happens is as follows. /goform/Diagnosis has the following code: The above code will compare the request parameter setnum with the value 10, if setnum is 10, it will return the value 10 to the browser and if setnum is anything else, it will return the value of v10. So when a user enters /goform/Diagnosis, it will always return the value 10 to the browser and this is what causes the command injection vulnerability. If you want to learn more about command injection, please visit the following website: https://www.raconte.net/command-injection/
In D-Link DIR-816 A2_v1.10CNB04.img a SQL Injection occurs in /admin/index, when the user inputs an SQL query and it is accepted, the attacker will gain access to the database and the attacker will have full control

Steps to reproduce:

1. Go to the following URL:
http://192.168.0.100/admin/index
2. Input an SQL query in the textbox
3. The textbox will be accepted and a popup will show up with the SQL query
This vulnerability affects all versions of D-Link DIR-816 A2_v1.10CNB04.img, so it is important for you to update your firmware as soon as possible

CVE-2021-37131

The following two vulnerabilities are a result of being able to sniff the traffic and identify the parameters that were passed on. If you want to learn more about SQL injection, please visit the following website: https://www.raconte.net/sql-injection/ In D-Link DIR-816 A2_v1.10CNB04.img a SQL Injection occurs in /admin/index, when the user inputs an SQL query and it is accepted, the attacker will gain access to the database and the attacker will have full control
In D-Link DIR-816 A2_v1.10CNB04.img a SQL Injection occurs in /admin/index, when the user inputs an SQL query and it is accepted, the attacker will gain access to the database and the attacker will have full control

SQL Injection

SQL injection is malicious code inserted into an SQL statement, which causes the query to produce unexpected and undesirable results. This attack can be accomplished by exploiting a security flaw in either the application or its database management system.
In D-link DIR-816 A2_v1.10CNB04.img, there is a SQL injection vulnerability in /admin/index where the attacker can inject his own SQL queries and gain access to the database (the attacker will have full control).

Timeline

Published on: 08/31/2022 23:15:00 UTC
Last modified on: 09/02/2022 21:34:00 UTC

References