I have found this and it was my first step :) I was able to find the IP, so I started to talk with router. Things are hard nowadays because of Same-origin policy, one can't send XMLHttpRequests directly to router. There is HTTP Basic Auth and you can't read version from dialog-window, can't access headers etc.
But with TP-Link, one can use iframe or img tags. Things went badly with Chrome, so I only tested iceweasel. As I said, you can't send GET/POST request, but you can login with this: <iframe src="http://admin:email@example.com">.
Funny thing about bypassing same origin policy is that you really don't have to bypass it, you can login with iframe or as I did, include TP-Link router logo to img tag:
After one day I wrote PoC against my router, on 0:11 you can see green iframe box, it is TP-Link logo and successful attack:
Great thing about TP-Link is that one can view emulators on their page:
OK, now i can get local IP, i can crack password with "bypassing" auth dialog using wordlist attack, but how to fingerprint router version to possible DNS changing? And i started digging in emulators ...
I knew that I could include images, but what about scripts? There is one great piece of .js file, localiztion/str_menu.js
It's basically structure of the left menu, so one can include this <script>, call predefined variables and determine if they are defined or not. It's easy way how to determine what menu user can see and what router he have.
You can see PoC here, recommended Mozilla Firefox without AdBlock and TP-Link router:
Source code is here, it's a crap, but I was writing/testing it only for 2-3 days:
And if you don't have TP-Link router, you can use this demo with my "emulator":
EDIT2: If you are reading some tutorial about "how to configure wireless router" and you are logged in, use different browser. Website with tutorial can setTimeout and hack you after some time.
EDIT1: Imagine using this with MITMf, storing wordlists into localstorage and using users on poisoned network to attack public WiFi routers. Adding some sources to read: