AX6000在1.0.60前的版本存在任意命令执行漏洞。登录管理界面,将 STOK 替换为URL中的STOK (;stok=XXXYYY)。
- 设置Crash
- 设置NVRam
- 重启
重启后可以通过Telnet登录路由器:
telnet 192.168.31.1
更改密码:
passwd root
nvram set ssh_en=1
nvram set telnet_en=1
nvram set uart_en=1
nvram set boot_wait=on
nvram commit
mtd erase crash
reboot
tee /data/mount-overlay.sh <<EOF
#!/bin/sh /etc/rc.common
START=00
. /lib/functions/preinit.sh
[ -e /data/overlay ] || mkdir /data/overlay
[ -e /data/overlay/upper ] || mkdir /data/overlay/upper
[ -e /data/overlay/work ] || mkdir /data/overlay/work
mount --bind /data/overlay /overlay
fopivot /overlay/upper /overlay/work /rom 1
#Fixup miwifi misc, and DO NOT use /overlay/upper/etc instead, /etc/uci-defaults/* may be already removed
/bin/mount -o noatime,move /rom/data /data 2>&-
/bin/mount -o noatime,move /rom/etc /etc 2>&-
/bin/mount -o noatime,move /rom/ini /ini 2>&-
/bin/mount -o noatime,move /rom/userdisk /userdisk 2>&-
EOF
chmod +x /data/mount-overlay.sh
uci set firewall.mount_overlay=include
uci set firewall.mount_overlay.type='script'
uci set firewall.mount_overlay.path='/data/mount-overlay.sh'
uci set firewall.mount_overlay.enabled='1'
uci commit
sed -i 's/channel=.*/channel="debug"/g' /etc/init.d/dropbear
/etc/init.d/dropbear restart
mkdir /data/auto_ssh
cd /data/auto_ssh
curl -O https://fastly.jsdelivr.net/gh/lemoeo/AX6S@main/auto_ssh.sh
chmod +x auto_ssh.sh
sh auto_ssh.sh install
uci set system.@system[0].timezone='CST-8'
uci set system.@system[0].webtimezone='CST-8'
uci set system.@system[0].timezoneindex='2.84'
uci commit
uci set dhcp.lan.dhcpv6='relay'
uci set dhcp.lan.ra='relay'
uci set dhcp.lan.ndp='relay'
uci set dhcp.lan.leasetime='720m'
uci set dhcp.lan.ra_maxinterval='20'
uci set dhcp.wan.ignore='1'
uci set dhcp.wan_6=dhcp
uci set dhcp.wan_6.interface='wan'
uci set dhcp.wan_6.dhcpv6='relay'
uci set dhcp.wan_6.ra='relay'
uci set dhcp.wan_6.ndp='relay'
uci set dhcp.wan_6.master='1'
uci commit
0 9 * * * test -x /data/eletribot.sh && /data/eletribot.sh >/dev/null 2>&1
tee /etc/opkg/distfeeds.conf <<EOF
src/gz openwrt_core http://mirrors.tuna.tsinghua.edu.cn/openwrt/releases/18.06.9/packages/aarch64_cortex-a53/packages
src/gz openwrt_base http://mirrors.tuna.tsinghua.edu.cn/openwrt/releases/18.06.9/packages/aarch64_cortex-a53/base
EOF
tee -a /etc/opkg.conf <<EOF
arch all 100
arch aarch64_cortex-a53 200
EOF
opkg update
opkg install python3-pip
# openssl won't work out-of-the-box
cd /tmp
curl -O https://mirrors.tuna.tsinghua.edu.cn/openwrt/releases/18.06.9/packages/aarch64_cortex-a53/base/libopenssl_1.0.2u-1_aarch64_cortex-a53.ipk
tar zxpvf libopenssl_1.0.2u-1_aarch64_cortex-a53.ipk
tar -xvf data.tar.gz
cd ./usr/lib/
cp libcrypto.so.1.0.0 libssl.so.1.0.0 /usr/lib/