1

NeWifi 3.2.1.5900 root

 3 years ago
source link: https://blog.lilydjwg.me/2017/8/5/newifi-3-2-1-5900-root.210296.html
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.

NeWifi 3.2.1.5900 root

本文来自依云's Blog,转载请注明。

新家新路由器。

为了玩 teeworlds,需要 root 权限操作 iptables。我上网找了一堆方案,无果。最后想着,先把自动更新 DNS 的脚本写了吧。

于是研究 API。通讯协议是 JSONRPC 2.0,授权是一个 token。先用从网页取得的 token 调 API,成功~然后我还在想,怎么拿 root shell 呢。结果去看了一下登录后返回的数据:

注意看右下角!「open_dropbear」!

>>> c.api_request('xapi.basic', 'open_dropbear')
[D 08-05 19:28:36.145 connectionpool:243] Resetting dropped connection: localhost
[D 08-05 19:28:36.640 connectionpool:396] http://localhost:8080 "POST http://192.168.99.1/ubus/ HTTP/1.1" 200 None
{'status': 0}
The authenticity of host '192.168.99.1 (192.168.99.1)' can't be established.
RSA key fingerprint is SHA256:............................................
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.99.1' (RSA) to the list of known hosts.
[email protected]'s password:
BusyBox v1.22.1 (2017-03-10 15:06:06 CST) built-in shell (ash)
Enter 'help' for a list of built-in commands.
____      _____
|  _ \    |_   _|__  __ _ _ __ ___
| | | |_____| |/ _ \/ _` | '_ ` _ \
| |_| |_____| |  __/ (_| | | | | | |
|____/      |_|\___|\__,_|_| |_| |_|
-----------------------------------------------------
From BARRIER BREAKER (3.2.1.5900, r39558)
-----------------------------------------------------
* By D-Team 2015 present
-----------------------------------------------------
root@newifi:~#

WTF,就这么简单!

顺便附上我写的简单客户端:

from requestsutils import RequestsBase
class NeWifi(RequestsBase):
token = '00000000000000000000000000000000'
def api_request(self, cat, name, args={}):
req = {"jsonrpc":"2.0","id":1,"method":"call","params":[self.token,cat,name,args]}
ans = self.request('/ubus/', json=req).json()
return ans['result'][1]
def login(self, password):
password = base64.b64encode(password.encode('utf-8')).decode('ascii')
ans = self.api_request("session","xapi_login",{"username":"root","password":password})
self.token = ans['ubus_rpc_session']
def get_wan_info(self):
return self.api_request('xapi.net', 'get_wan_info')

requestsutils 在此

发送到 Kindle

Category: Linux | Tags: python root 网络 路由器 | Read Count: 6772

评论 (2)
GlacJAY 说:
4 年前

没看懂……怎么拿到 root 密码的?

依云 说:
4 年前

管理面板密码、Wi-Fi 连接密码和 root 密码是一样的。

[取消回复评论]

昵称 登录 E-mail: *
Web:
Twitter:
当有新评论通过 E-mail 通知我

loading captcha image...
(输入验证码)

or Ctrl+Enter


report

Recommend

About Joyk


Aggregate valuable and interesting links.
Joyk means Joy of geeK