![](/style/images/good.png)
1
![](/style/images/bad.png)
NeWifi 3.2.1.5900 root
source link: https://blog.lilydjwg.me/2017/8/5/newifi-3-2-1-5900-root.210296.html
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
NeWifi 3.2.1.5900 root
本文来自依云's Blog,转载请注明。
新家新路由器。
为了玩 teeworlds,需要 root 权限操作 iptables。我上网找了一堆方案,无果。最后想着,先把自动更新 DNS 的脚本写了吧。
于是研究 API。通讯协议是 JSONRPC 2.0,授权是一个 token。先用从网页取得的 token 调 API,成功~然后我还在想,怎么拿 root shell 呢。结果去看了一下登录后返回的数据:
注意看右下角!「open_dropbear」!
>>> c.api_request(
'xapi.basic'
,
'open_dropbear'
)
[D
08
-
05
19
:
28
:
36.145
connectionpool:
243
] Resetting dropped connection: localhost
[D
08
-
05
19
:
28
:
36.640
connectionpool:
396
] http:
/
/
localhost:
8080
"POST http://192.168.99.1/ubus/ HTTP/1.1"
200
None
{
'status'
:
0
}
>>> ssh [email protected]
The authenticity of host '192.168.99.1 (192.168.99.1)' can't be established.
RSA key fingerprint is SHA256:............................................
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.99.1' (RSA) to the list of known hosts.
[email protected]'s password:
BusyBox v1.22.1 (2017-03-10 15:06:06 CST) built-in shell (ash)
Enter 'help' for a list of built-in commands.
____ _____
| _ \ |_ _|__ __ _ _ __ ___
| | | |_____| |/ _ \/ _` | '_ ` _ \
| |_| |_____| | __/ (_| | | | | | |
|____/ |_|\___|\__,_|_| |_| |_|
-----------------------------------------------------
From BARRIER BREAKER (3.2.1.5900, r39558)
-----------------------------------------------------
* By D-Team 2015 present
-----------------------------------------------------
root@newifi:~#
WTF,就这么简单!
顺便附上我写的简单客户端:
from
requestsutils
import
RequestsBase
class
NeWifi(RequestsBase):
token
=
'00000000000000000000000000000000'
def
api_request(
self
, cat, name, args
=
{}):
req
=
{
"jsonrpc"
:
"2.0"
,
"id"
:
1
,
"method"
:
"call"
,
"params"
:[
self
.token,cat,name,args]}
ans
=
self
.request(
'/ubus/'
, json
=
req).json()
return
ans[
'result'
][
1
]
def
login(
self
, password):
password
=
base64.b64encode(password.encode(
'utf-8'
)).decode(
'ascii'
)
ans
=
self
.api_request(
"session"
,
"xapi_login"
,{
"username"
:
"root"
,
"password"
:password})
self
.token
=
ans[
'ubus_rpc_session'
]
def
get_wan_info(
self
):
return
self
.api_request(
'xapi.net'
,
'get_wan_info'
)
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK