TP-Link Archer CR-700 Cross Site Scripting

Risk: Low
Local: No
Remote: Yes

# Exploit Title: TP-Link Archer CR-700 XSS vulnerability # Google Dork: N/A # Date: 09/07/2016 # Exploit Author: Ayushman Dutta # Vendor Homepage: # Software Link: N/A # Version: 1.0.6 (REQUIRED) # Tested on: Linux # CVE : N/A #Exploit Information: TP-Link-Archer-CR-700-XSS-Exploit Exploiting TP-Link Archer CR-700 Router. (Responsibly Disclosed to TP-Link) Step 1-> On you linux machine (Kali or Ubuntu) type the following command gedit /etc/dhcp/dhclient.conf Comment out the line below send host-name = gethostname(); Copy it to the line below it and change the gethostname() function to an XSS script like below. send host-name = "<script>alert(5)</script>"; Step 2:Restart your linux system so that the changes takes into effect. Step 3: Send a DHCP request to the router to receive an IP address with the command below.(Try this on any open network routers which is using TP-Link Archer CR-700) dhclient -v -i wlan0 On running the command above, it send a DHCP request to the router. On a DHCP request, the host name is sent to which we have forcibly set it to an XSS script <script>alert(5)</script> Step 4: Login to the administrator console. On logging in the Script executes. One more issue that I saw in the router that was that there was no CSRF token. The cookie set by the router contains a base64 encoded username & password whcih can be stolen using an XSS script. Note:All The above information has been disclosed to TP-Link, who have reporduced the problem and passed it to their R&D team to fix the issue. A URL to the product

Vote for this issue:


Thanks for you vote!


Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019,


Back to Top