https://www.fortinet.com/blog/threat-research/d-link-routers-found-vulnerable-rce
總結:
一是未授權
二是沒有做好參數過濾
值得注意的是後面提到了
If we try to input any special character, such as double quote, quote, semicolon, etc., the ping fails.
Unfortunately, if we pass the newline character, for example: 8.8.8.8%0als, we can perform the Command Injection attack.
只有通過換行才能執行命令,在cgi後臺測試的時候可以注意下