未写完,持续更新……
型号:贝尔G-140W-MD
一、默认信息
超密:CMCCAdmin aDm8H%MdA
二、爬虫相关
Telnet状态获取
获取http://192.168.1.1/system.cgi?telnet内容,判断如下
//开启状态
var telnet_config={ FactoryTelnetEnable:0,
TelnetEnable:1
};
//关闭状态
var telnet_config={ FactoryTelnetEnable:0,
TelnetEnable:0
};Telnet功能打开
fetch("http://192.168.1.1/system.cgi?telnet+on", {
"headers": {
"accept": "*/*",
"accept-language": "zh-CN,zh;q=0.9",
"cache-control": "no-cache",
"content-type": "application/x-www-form-urlencoded",
"pragma": "no-cache",
"x-requested-with": "XMLHttpRequest"
},
"body": "data&csrf_token=test",
"method": "POST",
"mode": "cors",
"credentials": "include"
});root密码
三、Telnet相关
命令
//查看帐号
cat /etc/passwd
//添加用户权限查看
mount | grep /etc
//光猫重置命令,重置完一定要重启!!!
cfgcli -r
//重启
reboot获取Telnet的root账号和密码
使用CMCCAdmin账号登入后,打开http://192.168.1.1/dumpdatamodel.cgi获取配置SuPassword信息。
<SuPassword ml="64" rw="RW" t="string" v="oUOQs8+KCTnLCvRUJkeLaA==" ealgo="ab"></SuPassword>贝尔Su解密
import base64
class RouterCrypto:
def __init__(self):
from Crypto.Cipher import AES
# key and IV for AES
key = '3D A3 73 D7 DC 82 2E 2A 47 0D EC 37 89 6E 80 D7 2C 49 B3 16 29 DD C9 97 35 4B 84 03 91 77 9E A4'
iv = 'D0 E6 DC CD A7 4A 00 DF 76 0F C0 85 11 CB 05 EA'
self.cipher = AES.new(bytes(bytearray.fromhex(key)), AES.MODE_CBC, bytes(bytearray.fromhex(iv)))
def decrypt(self, data):
output = self.cipher.decrypt(data)
return output[:-ord(output[-1:])]
encrypted = "这里是要解密的密文"
print(RouterCrypto().decrypt(base64.b64decode(encrypted)).decode('UTF-8'))