# Exploit Title: TPLINK WR740N Multiple CSRF Vulnerabilities # Date: 11/24/2013 # Author: SaMaN( @samanL33T ) # Vendor Homepage: http://tplink.com # Category: Hardware/Wireless Router # Firmware Version: 3.16.6 Build 130529 Rel.47286n and below # Tested on: WR740N/WR740ND (May be possible on other models) --------------------------------------------------- Technical Details ~~~~~~~~~~~~~~~~~ TPLINK WIreless Router WR740N has a Cross Site Request Forgery Vulnerability in its Web Console. Attacker can easily change Wireless password,Reboot Router,Change Settings by simply making the user visit a CSRF link. Application uses "HTTP-REFERER" check functionality to check for CSRF attacks. But it can easily be bypassed using the "Referer" parameter with value set to target's I.P in the GET request. Exploit Code ~~~~~~~~~~~~ Change WPA/WPA2 password by CSRF ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#For Changing the Security to Open WEP, simply change "secType" value to 1. Reboot Router by CSRF ~~~~~~~~~~~~~~~~~~~~
Factory Reset the Router ~~~~~~~~~~~~~~~~~~~~~~~
-- SaMaN twitter : @samanL33T