机型:小米路由器4A
C:\Users\Zhonghui\Desktop>set https_proxy=127.0.0.1:7890 # 使用的是Github上的这个项目 C:\Users\Zhonghui\Desktop>git clone https://github.com/acecilia/OpenWRTInvasion --depth 1 Cloning into 'OpenWRTInvasion'... remote: Enumerating objects: 51, done. remote: Counting objects: 100% (51/51), done. remote: Compressing objects: 100% (42/42), done. remote: Total 51 (delta 2), reused 44 (delta 2), pack-reused 0 Receiving objects: 100% (51/51), 60.90 MiB | 2.15 MiB/s, done. Resolving deltas: 100% (2/2), done. # 需要使用Python,先安装好Python配置好环境 (Daily39) C:\Users\Zhonghui\Desktop\OpenWRTInvasion>pip3 install -r requirements.txt Requirement already satisfied: requests in c:\python\envs\daily39\lib\site-packages (from -r requirements.txt (line 1)) (2.28.1) Requirement already satisfied: idna<4,>=2.5 in c:\python\envs\daily39\lib\site-packages (from requests->-r requirements.txt (line 1)) (3.3) Requirement already satisfied: urllib3<1.27,>=1.21.1 in c:\python\envs\daily39\lib\site-packages (from requests->-r requirements.txt (line 1)) (1.26.12) Requirement already satisfied: certifi>=2017.4.17 in c:\python\envs\daily39\lib\site-packages (from requests->-r requirements.txt (line 1)) (2022.6.15) Requirement already satisfied: charset-normalizer<3,>=2 in c:\python\envs\daily39\lib\site-packages (from requests->-r requirements.txt (line 1)) (2.1.1)
# 说明: # 破解这一步需要使用到某些文件,这个项目提供了2种方式将文件传输到路由器 # 通过本地开启一个TCP连接进行传输,测试失败 # 通过Github下载,使用这样方式要求路由器可以连接到Github,或者在代码中把下载的Url换成自己的服务器直链 # 如果需要使用stok值,在浏览器中打开路由器页面,在地址栏中可以找到stok值 (Daily39) C:\Users\Zhonghui\Desktop\OpenWRTInvasion>python remote_command_execution_vulnerability.py Router IP address [press enter for using the default 'miwifi.com']: 192.168.31.1 Enter router admin password: # 这里手动打码 There two options to provide the files needed for invasion: 1. Use a local TCP file server runing on random port to provide files in local directory `script_tools`. 2. Download needed files from remote github repository. (choose this option only if github is accessable inside router device.) Which option do you prefer? (default: 1)2 **************** router_ip_address: 192.168.31.1 stok: # 这里手动打码 file provider: remote github repository **************** start uploading config file... start exec command... done! Now you can connect to the router using several options: (user: root, password: root) * telnet 192.168.31.1 * ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 -c 3des-cbc -o UserKnownHostsFile=/dev/null root@192.168.31.1 * ftp: using a program like cyberduck
# 可以通过SSH登录到路由器了,默认用户名和密码都是root BusyBox v1.19.4 (2021-09-30 03:16:53 UTC) built-in shell (ash) Enter 'help' for a list of built-in commands. ----------------------------------------------------- Welcome to XiaoQiang! ----------------------------------------------------- $$$$$$\ $$$$$$$\ $$$$$$$$\ $$\ $$\ $$$$$$\ $$\ $$\ $$ __$$\ $$ __$$\ $$ _____| $$ | $$ | $$ __$$\ $$ | $$ | $$ / $$ |$$ | $$ |$$ | $$ | $$ | $$ / $$ |$$ |$$ / $$$$$$$$ |$$$$$$$ |$$$$$\ $$ | $$ | $$ | $$ |$$$$$ / $$ __$$ |$$ __$$< $$ __| $$ | $$ | $$ | $$ |$$ $$< $$ | $$ |$$ | $$ |$$ | $$ | $$ | $$ | $$ |$$ |\$$\ $$ | $$ |$$ | $$ |$$$$$$$$\ $$$$$$$$$ | $$$$$$ |$$ | \$$\ \__| \__|\__| \__|\________| \_________/ \______/ \__| \__| root@XiaoQiang:~# cd /tmp/ root@XiaoQiang:/tmp# wget -O firmware.bin http://mirror.nju.edu.cn/openwrt/releases/21.02.0/targets/ramips/mt7621/openwrt-21.02.0-ramips-mt7621-xiaomi_mi-router-4a-gigabit-squashfs-sysupgrade.bin # 下载官方的镜像 Connecting to mirror.nju.edu.cn (210.28.130.3:80) firmware.bin 100% |***********************************************************************| 5632k 0:00:00 ETA root@XiaoQiang:/tmp# mtd -e OS1 -r write firmware.bin OS1 # 刷入 Unlocking OS1 ... Erasing OS1 ... Writing from firmware.bin to OS1 ... Rebooting ... client_loop: send disconnect: Connection reset
使用南京大学的源,登录到路由器,并编辑/etc/opkg/distfeeds.conf文件,将其中的downloads.openwrt.org替换为mirror.nju.edu.cn/openwrt。 OpenWrt使用的包管理器是opkg。