关于光猫研究

未写完，持续更新……

型号：贝尔G-140W-MD

一、默认信息

超密：CMCCAdmin        aDm8H%MdA

二、爬虫相关

Telnet状态获取

获取http://192.168.1.1/system.cgi?telnet内容，判断如下

//开启状态
var telnet_config={ FactoryTelnetEnable:0,
TelnetEnable:1
};
//关闭状态
var telnet_config={ FactoryTelnetEnable:0,
TelnetEnable:0
};

Telnet功能打开

fetch("http://192.168.1.1/system.cgi?telnet+on", {"headers": {"accept": "*/*","accept-language": "zh-CN,zh;q=0.9","cache-control": "no-cache","content-type": "application/x-www-form-urlencoded","pragma": "no-cache","x-requested-with": "XMLHttpRequest"},"body": "data&csrf_token=test","method": "POST","mode": "cors","credentials": "include"
});

root密码

三、Telnet相关

命令

//查看帐号
cat /etc/passwd//添加用户权限查看
mount | grep /etc//光猫重置命令，重置完一定要重启！！！
cfgcli -r//重启
reboot

获取Telnet的root账号和密码

使用CMCCAdmin账号登入后，打开http://192.168.1.1/dumpdatamodel.cgi获取配置SuPassword信息。

<SuPassword ml="64" rw="RW" t="string" v="oUOQs8+KCTnLCvRUJkeLaA==" ealgo="ab"></SuPassword>

贝尔Su解密

import base64
class RouterCrypto:def __init__(self):from Crypto.Cipher import AES# key and IV for AESkey = '3D A3 73 D7 DC 82 2E 2A 47 0D EC 37 89 6E 80 D7 2C 49 B3 16 29 DD C9 97 35 4B 84 03 91 77 9E A4'iv  = 'D0 E6 DC CD A7 4A 00 DF 76 0F C0 85 11 CB 05 EA'self.cipher = AES.new(bytes(bytearray.fromhex(key)), AES.MODE_CBC, bytes(bytearray.fromhex(iv)))def decrypt(self, data):output = self.cipher.decrypt(data)return output[:-ord(output[-1:])]
encrypted = "这里是要解密的密文"
print(RouterCrypto().decrypt(base64.b64decode(encrypted)).decode('UTF-8'))