Redémarrer un routeur ADSL avec un script

**ScottishBloke** · 17/11/2013, 02h01

#! /usr/bin/sh
#
## This script designed to scrape data from the web interface of ADSL modem
## Parse the login page to scrape out the value of 'rn'
## csr 2013_11_16

ECHO='/usr/bin/echo'
GREP='/usr/bin/grep'
AWK='/usr/bin/awk'
CUT='/usr/bin/cut'

SCRIPT_DIR='/home/colin/scripts/TG582n'

#GET_LOGIN_CREDENTIALS="$SCRIPT_DIR/TG582n_login.sh"

LOGIN_FILE="$SCRIPT_DIR/.TG582n_login.lp"
#COOKIE_FILE="$SCRIPT_DIR/.cookies.txt"
#GET_COOKIE_SCRIPT="$SCRIPT_DIR/TG582n_getAuthCookie.sh"

#$ECHO "$LOGIN_FILE"
#$ECHO "$COOKIE_FILE"
#$ECHO "$GET_COOKIE_SCRIPT"

## example html from .TG582n_login.lp
## There are 2 forms which send the parameter 'rn'
# line 36
# <form name="langSelect" action="" method="post">
# <span class="langSelect" id="langSelect"><input type="hidden" name="6" value="en" /> <input type="hidden" name="rn" value="-224413215" /></span>
# </form>
#
# and line 85
# <form method="post" action="login.lp" name="authform" id="authform">
# <input type="hidden" name="rn" value="-1084691840" /> <input type="hidden" name="hidepw" id="hidepw" value="" />

# this returns 2 forms. :-(
#FORM_POST_LINE=$($GREP 'name="rn"' $LOGIN_FILE)
#$ECHO $FORM_POST

## Get the form with name="authform"
FORM_POST_LINE=$($GREP -A 1 'name="authform"' $LOGIN_FILE)
#$ECHO $FORM_POST_LINE

RN_VALUE_LINE=$($ECHO $FORM_POST_LINE | $GREP 'name="rn" value="' )
#$ECHO $RN_VALUE_LINE

RN_VALUE_STRING=$($ECHO $RN_VALUE_LINE | $AWK '{split($0,a,"value=\""); print a[2]}' )
#$ECHO $RN_VALUE_STRING

RN_VALUE=$($ECHO $RN_VALUE_STRING | $CUT -s --delimiter='"' --fields=1)

$ECHO $RN_VALUE

**ScottishBloke** · 17/11/2013, 02h02

#! /usr/bin/sh
#
## This script designed to scrape data from the web interface of ADSL modem
## Parse the login page to scrape out the value of 'nonce'
## csr 2013_11_16

ECHO='/usr/bin/echo'
GREP='/usr/bin/grep'
AWK='/usr/bin/awk'
CUT='/usr/bin/cut'

SCRIPT_DIR='/home/colin/scripts/TG582n'

#GET_LOGIN_CREDENTIALS="$SCRIPT_DIR/TG582n_login.sh"

LOGIN_FILE="$SCRIPT_DIR/.TG582n_login.lp"
#COOKIE_FILE="$SCRIPT_DIR/.cookies.txt"
#GET_COOKIE_SCRIPT="$SCRIPT_DIR/TG582n_getAuthCookie.sh"

#$ECHO "$LOGIN_FILE"
#$ECHO "$COOKIE_FILE"
#$ECHO "$GET_COOKIE_SCRIPT"

## example html from .TG582n_login.lp
# var nonce = "97987:665291:a1ee82eba8600e780559313d87a34482";

VAR_NONCE_LINE=$($GREP 'var nonce =' $LOGIN_FILE)
#$ECHO $VAR_NONCE_LINE

#RN_VALUE_LINE=$($ECHO $FORM_POST_LINE | $GREP 'name="rn" value="' )
#$ECHO $RN_VALUE_LINE

VAR_NONCE_STRING=$($ECHO $VAR_NONCE_LINE | $AWK '{split($0,a,"var nonce = \""); print a[2]}' )
#$ECHO $VAR_NONCE_STRING

NONCE_VALUE=$($ECHO $VAR_NONCE_STRING | $CUT -s --delimiter='"' --fields=1)

$ECHO $NONCE_VALUE

**ScottishBloke** · 17/11/2013, 02h19

Code javascript :

Sélectionner tout - Visualiser dans une fenêtre à part

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
/*
<script type="text/javascript">
//<![CDATA[
*/
function disable_fields(theForm)
{
  var len = theForm.elements.length;
  for (var i = 0; i < len; i++) {
    // Don't disable "hidden" fields
    if(theForm.elements[i].type.toLowerCase()!="hidden")
      theForm.elements[i].disabled = 1;
  }
}
 
function setLanguage(langCode)
{
  document.langSelect.elements[0].value = langCode;
  document.langSelect.submit();
  disable_fields(document.langSelect);
}
 
function noenter(e) {
  var keycode;
 
  if (window.event)
    keycode = window.event.keyCode;
  else if (e)
    keycode = e.which;
  else
    return true;
 
  if (keycode == 13)
    return false;
  else
    return true;
}
 
var hex_chr = "0123456789abcdef";
function rhex(num)
{
  str = "";
  for(j = 0; j <= 3; j++)
    str += hex_chr.charAt((num >> (j * 8 + 4)) & 0x0F) +
           hex_chr.charAt((num >> (j * 8)) & 0x0F);
  return str;
}
 
/*
 * Convert a string to a sequence of 16-word blocks, stored as an array.
 * Append padding bits and the length, as described in the MD5 standard.
 */
function str2blks_MD5(str)
{
  nblk = ((str.length + 8) >> 6) + 1;
  blks = new Array(nblk * 16);
  for(i = 0; i < nblk * 16; i++) blks[i] = 0;
  for(i = 0; i < str.length; i++)
    blks[i >> 2] |= str.charCodeAt(i) << ((i % 4) * 8);
  blks[i >> 2] |= 0x80 << ((i % 4) * 8);
  blks[nblk * 16 - 2] = str.length * 8;
  return blks;
}
 
/*
 * Add integers, wrapping at 2^32. This uses 16-bit operations internally
 * to work around bugs in some JS interpreters.
 */
function add(x, y)
{
  var lsw = (x & 0xFFFF) + (y & 0xFFFF);
  var msw = (x >> 16) + (y >> 16) + (lsw >> 16);
  return (msw << 16) | (lsw & 0xFFFF);
}
 
/*
 * Bitwise rotate a 32-bit number to the left
 */
function rol(num, cnt)
{
  return (num << cnt) | (num >>> (32 - cnt));
}
/*
 * These functions implement the basic operation for each round of the
 * algorithm.
 */
function cmn(q, a, b, x, s, t)
{
  return add(rol(add(add(a, q), add(x, t)), s), b);
}
function ff(a, b, c, d, x, s, t)
{
  return cmn((b & c) | ((~b) & d), a, b, x, s, t);
}
function gg(a, b, c, d, x, s, t)
{
  return cmn((b & d) | (c & (~d)), a, b, x, s, t);
}
function hh(a, b, c, d, x, s, t)
{
  return cmn(b ^ c ^ d, a, b, x, s, t);
}
function ii(a, b, c, d, x, s, t)
{
  return cmn(c ^ (b | (~d)), a, b, x, s, t);
}
 
/*
 * Take a string and return the hex representation of its MD5.
 */
function MD5(str)
{
  x = str2blks_MD5(str);
  var a =  1732584193;  
  var b = -271733879;   
  var c = -1732584194;  
  var d =  271733878;   
 
  for(i = 0; i < x.length; i += 16)
  {
    var olda = a;
    var oldb = b;
    var oldc = c;
    var oldd = d;
 
    a = ff(a, b, c, d, x[i+ 0], 7 , -680876936);
    d = ff(d, a, b, c, x[i+ 1], 12, -389564586);
    c = ff(c, d, a, b, x[i+ 2], 17,  606105819);
    b = ff(b, c, d, a, x[i+ 3], 22, -1044525330);
    a = ff(a, b, c, d, x[i+ 4], 7 , -176418897); 
    d = ff(d, a, b, c, x[i+ 5], 12,  1200080426);
    c = ff(c, d, a, b, x[i+ 6], 17, -1473231341);
    b = ff(b, c, d, a, x[i+ 7], 22, -45705983);  
    a = ff(a, b, c, d, x[i+ 8], 7 ,  1770035416);
    d = ff(d, a, b, c, x[i+ 9], 12, -1958414417);
    c = ff(c, d, a, b, x[i+10], 17, -42063);
    b = ff(b, c, d, a, x[i+11], 22, -1990404162);
    a = ff(a, b, c, d, x[i+12], 7 ,  1804603682);
    d = ff(d, a, b, c, x[i+13], 12, -40341101);  
    c = ff(c, d, a, b, x[i+14], 17, -1502002290);
    b = ff(b, c, d, a, x[i+15], 22,  1236535329);
 
    a = gg(a, b, c, d, x[i+ 1], 5 , -165796510);
    d = gg(d, a, b, c, x[i+ 6], 9 , -1069501632);
    c = gg(c, d, a, b, x[i+11], 14,  643717713); 
    b = gg(b, c, d, a, x[i+ 0], 20, -373897302); 
    a = gg(a, b, c, d, x[i+ 5], 5 , -701558691); 
    d = gg(d, a, b, c, x[i+10], 9 ,  38016083);  
    c = gg(c, d, a, b, x[i+15], 14, -660478335); 
    b = gg(b, c, d, a, x[i+ 4], 20, -405537848); 
    a = gg(a, b, c, d, x[i+ 9], 5 ,  568446438); 
    d = gg(d, a, b, c, x[i+14], 9 , -1019803690);
    c = gg(c, d, a, b, x[i+ 3], 14, -187363961); 
    b = gg(b, c, d, a, x[i+ 8], 20,  1163531501);
    a = gg(a, b, c, d, x[i+13], 5 , -1444681467);
    d = gg(d, a, b, c, x[i+ 2], 9 , -51403784);  
    c = gg(c, d, a, b, x[i+ 7], 14,  1735328473);
    b = gg(b, c, d, a, x[i+12], 20, -1926607734);
 
    a = hh(a, b, c, d, x[i+ 5], 4 , -378558);
    d = hh(d, a, b, c, x[i+ 8], 11, -2022574463);
    c = hh(c, d, a, b, x[i+11], 16,  1839030562);
    b = hh(b, c, d, a, x[i+14], 23, -35309556);  
    a = hh(a, b, c, d, x[i+ 1], 4 , -1530992060);
    d = hh(d, a, b, c, x[i+ 4], 11,  1272893353);
    c = hh(c, d, a, b, x[i+ 7], 16, -155497632); 
    b = hh(b, c, d, a, x[i+10], 23, -1094730640);
    a = hh(a, b, c, d, x[i+13], 4 ,  681279174); 
    d = hh(d, a, b, c, x[i+ 0], 11, -358537222); 
    c = hh(c, d, a, b, x[i+ 3], 16, -722521979); 
    b = hh(b, c, d, a, x[i+ 6], 23,  76029189);  
    a = hh(a, b, c, d, x[i+ 9], 4 , -640364487); 
    d = hh(d, a, b, c, x[i+12], 11, -421815835); 
    c = hh(c, d, a, b, x[i+15], 16,  530742520); 
    b = hh(b, c, d, a, x[i+ 2], 23, -995338651); 
    a = ii(a, b, c, d, x[i+ 0], 6 , -198630844);
    d = ii(d, a, b, c, x[i+ 7], 10,  1126891415);
    c = ii(c, d, a, b, x[i+14], 15, -1416354905);
    b = ii(b, c, d, a, x[i+ 5], 21, -57434055);  
    a = ii(a, b, c, d, x[i+12], 6 ,  1700485571);
    d = ii(d, a, b, c, x[i+ 3], 10, -1894986606);
    c = ii(c, d, a, b, x[i+10], 15, -1051523);   
    b = ii(b, c, d, a, x[i+ 1], 21, -2054922799);
    a = ii(a, b, c, d, x[i+ 8], 6 ,  1873313359);
    d = ii(d, a, b, c, x[i+15], 10, -30611744);  
    c = ii(c, d, a, b, x[i+ 6], 15, -1560198380);
    b = ii(b, c, d, a, x[i+13], 21,  1309151649);
    a = ii(a, b, c, d, x[i+ 4], 6 , -145523070); 
    d = ii(d, a, b, c, x[i+11], 10, -1120210379);
    c = ii(c, d, a, b, x[i+ 2], 15,  718787259); 
    b = ii(b, c, d, a, x[i+ 9], 21, -343485551); 
 
    a = add(a, olda);
    b = add(b, oldb);
    c = add(c, oldc);
    d = add(d, oldd);
  }
  return rhex(a) + rhex(b) + rhex(c) + rhex(d);
}
 
var realm = "Technicolor Gateway";
/*var nonce = "90115:267481:2678b95815d87d3ea5ccac7aed4e349f";*/
var qop = "auth";
var uri = "/login.lp";
 
function submitAuthentication()
{
  var user = document.getElementById("user").value;
  var pwd  = document.getElementById("password").value;
  document.getElementById("password").disabled = true; 
  var HA1 = MD5(user + ":" + realm + ":" + pwd);
  var HA2 = MD5("GET" + ":" + uri);
  document.getElementById("hidepw").value = MD5(HA1 + ":" + nonce +
                          ":" + "00000001" + ":" + "xyz" + ":" + qop + ":" + HA2);
  document.authform.submit();
  disable_fields(document.authform);
}
 
function cancelLogin()
{
  if (window.opener || window.name == "userpage")
    window.close();     // Close pop-up login window
  else
    location.href="/";
}
 
function hidepw(user, pwd, nonce)
{  
  var HA1 = MD5(user + ":" + realm + ":" + pwd);
  var HA2 = MD5("GET" + ":" + uri);
/*  
  console.log(HA1);
  console.log(HA2);
*/  
  var hashValue = MD5(HA1 + ":" + nonce +
                          ":" + "00000001" + ":" + "xyz" + ":" + qop + ":" + HA2);
 
  return hashValue;
}
 
var user = process.argv[2];
var passwd = process.argv[3];
/*
console.log(var1);
console.log(var2);
console.log(hidepw("user", "password"));
*/
var nonce = process.argv[4];
 
console.log(hidepw(user, passwd, nonce));
 
/*
//]]>
</script>
*/

**Sigmoonator** · 22/02/2014, 00h01

Merci ScottishBloke tes scripts m'auront bien aidé, mais ça ne fonctionne pas encore complètement !

La valeur RN est bien récupéré.
La valeur COOKIES est bien récupéré
La valeur NONCE est bien récupéré.
Par contre la génération de la valeur HIDEPW ne fonctionne pas !

Le script TG582n_doLogin.sh génère entre autre la valeur HIDEPW par le biais d'un fichier javascript "pagescript.js". Le fichier "pagescript.js" est le code javascript ce trouvant dans la page login.lp.

bout de code du fichier TG582n_doLogin.sh (Uniquement ce qui nous concerne !)

Code :

Sélectionner tout - Visualiser dans une fenêtre à part

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
ECHO='/usr/bin/echo' 
NODE='/usr/bin/node'
CURL='/usr/bin/curl'
 
SCRIPT_DIR='/home/colin/scripts/TG582n' 
GET_NONCE_SCRIPT="$SCRIPT_DIR/TG582n_getNonce.sh"
MD5_SCRIPT="$SCRIPT_DIR/pagescript.js"
 
USERNAME='xxxx'
PASSWD='xxxx'
 
NONCE_VALUE=$($GET_NONCE_SCRIPT)
$ECHO $NONCE_VALUE
 
HIDEPW=$($NODE $MD5_SCRIPT $USERNAME $PASSWD $NONCE_VALUE)
$ECHO $HIDEPW

Je ne comprends pas cette ligne HIDEPW=$($NODE $MD5_SCRIPT $USERNAME $PASSWD $NONCE_VALUE), mais c'est elle qui génère la variable HIDEPW.
Si dans la phrase j’enlève $NODE, j'ai une erreur des le début du fichier pagescript.js j'en suis venu à me dire que c'est parce que je n'ai pas de shebang pour le javascript dans le fichier. Donc, après quelque recherche j'ai trouvé que le shebang javascript c'est "#!/usr/bin/env node". Lorsque je ré-essaye, je n'ai plus d'erreur, mais ça ne fonctionne pas plus !

Est-ce que quelqu'un aurait une idée ?

Sinon, la partie du script javascript qui génère la variable HIDEPW est la suivante:

Code :

Sélectionner tout - Visualiser dans une fenêtre à part

1
2
3
4
5
6
7
8
9
10
11
12
function submitAuthentication()
{
  var user = document.getElementById("user").value;
  var pwd  = document.getElementById("password").value;
  document.getElementById("password").disabled = true; 
  var HA1 = MD5(user + ":" + realm + ":" + pwd);
  var HA2 = MD5("GET" + ":" + uri);
  document.getElementById("hidepw").value = MD5(HA1 + ":" + nonce +
                          ":" + "00000001" + ":" + "xyz" + ":" + qop + ":" + HA2);
  document.authform.submit();
  disable_fields(document.authform);
}

Est-ce que vous pensez qu'il y aurait une possibilité de transformer ce bout de code en bash ?

Par avance merci de votre aide.

Redémarrer un routeur ADSL avec un script

Matériel

Discussions similaires

Partager

Partager