1.管理员密码破解,把光猫的loid pppoe用户名密码,各个连接vlan id记下来
打开链接 http://192.168.1.1/hidden_version_switch.html
version选择Default Version,点击submit,光猫默认重启。重启后ip地址变为192.168.1.1 并且dhcp默认是关闭的,需要设置电脑ip也在192.168.1.0 网段
2.打开 http://192.168.1.1/cu.html,使用CUAdmin CUAdmin登录进去
新增连接,复原之前的连接。注意vlan id别写错了
3.打开 http://192.168.1.1/register.gch输入之前记下的loid进行注册,没有意外的应该会卡主rms阶段。
4.重新打开管理页面,查看连接,发现地址已经获取到了,但是由于RMS未下发成功,还是不能上网,不能上网的原因是DNS劫持了,所有的页面都重定向loid注册页面。注意:即使使用桥接拨号方式光猫也能劫持DNS,所以一定要执行下一步。
5.关闭自动弹出loid页面http://192.168.1.1/hidden_forcepush_switch.html
点击关闭,光猫自动重启。如果控制台提示有错误,自行补全缺少的方法。
至此完全破解完成!
telnet 用户名root Pon521 ,html页面在/home/httpd目录下,有兴趣的可以研究一下
/ # ls
GN25L95_datas etc lib proc sys userconfig wlan
bin home linuxrc root tagparam usr
db_excp init mnt run temp var
dev kmodule opt sbin tmp webpages
/ # cd home/httpd/
/home/httpd # ls
ChunkSpy-0.9.8 host_gch.gch prefix_gch.gch
IPv4_wan_query.gch igmp_proxy_gch.gch project.conf
IPv6_internet_wan_query.gch igmp_snoop_gch.gch public
IPv6_wan_query.gch index.lp qos_localapp_gch.gch
SN_register_gch.gch index.lua qos_localapp_new_gch.gch
SN_write_gch.gch ipv6_net_prefix_js.gch qos_localapp_tr069_queue_gch.gch
ThirdPart ipv6_net_prefix_t.gch qos_localapp_voip_netqos_gch.gch
act_inform_gch.gch ipv6_prefix_gch.gch qos_qa_gch.gch
ajaxComLogic.gch lan_status_link_t.gch qos_qa_new_gch.gch
all_mac_gch.gch langcn.conf qos_qp_gch.gch
all_url_gch.gch langen.conf qos_qq_basic_gch.gch
anhui_monitor_config_t.gch lib qos_qq_gch.gch
app_ddns_conf_js.gch log_gch.gch qos_qq_new_gch.gch
app_ddns_conf_t.gch logging qos_qq_stats_gch.gch
app_dev_domain_js.gch logging.lua qos_qqstats_entry_gch.gch
app_dev_domain_t.gch login.gch qos_qr_gch.gch
app_dev_name_js.gch login_admin_jl.gch qos_qt_gch.gch
app_dev_name_t.gch login_t.gch query_dir.gch
app_dms_js.gch luaprofiler-2.0.2 quickSetup_t.gch
app_dms_t.gch mac_table_gch.gch ra_server_gch.gch
app_dmz_conf_js.gch manage_server_gch.gch register.gch
app_dmz_conf_t.gch manage_tr069_gch.gch registerLang.gch
app_ftp_client_js.gch manager_SN_register_js.gch return2factory.gch
app_ftp_client_t.gch manager_SN_register_t.gch rip_gch.gch
app_igmp_conf_js.gch manager_act_inform_js.gch route_static_gch.gch
app_igmp_conf_t.gch manager_act_inform_t.gch route_table_gch.gch
app_igmp_snoop_js.gch manager_aduser_conf_js.gch samba_cfg_gch.gch
app_igmp_snoop_t.gch manager_aduser_conf_t.gch sapi.lua
app_iptv_gch.gch manager_buss_mgr_gch.gch sec_firewall_attack_t.gch
app_iptv_js.gch manager_buss_mgr_js.gch sec_firewall_conf_js.gch
app_iptv_t.gch manager_buss_mgr_t.gch sec_firewall_level_t.gch
app_mld_conf_js.gch manager_dev_conf_js.gch sec_fw_alg_js.gch
app_mld_conf_t.gch manager_dev_conf_t.gch sec_fw_alg_t.gch
app_mld_snoop_js.gch manager_dev_conf_t_user.gch sec_ipfilter_conf_js.gch
app_mld_snoop_t.gch manager_dev_ping_js.gch sec_ipfilter_conf_t.gch
app_rip_js.gch manager_dev_ping_t.gch sec_macfilter_conf_js.gch
app_rip_t.gch manager_dev_query_t.gch sec_macfilter_conf_t.gch
app_route_table_js.gch manager_dev_reback_js.gch sec_portfilter_conf_js.gch
app_route_table_t.gch manager_dev_reback_t.gch sec_portfilter_conf_t.gch
app_samba_cfg_js.gch manager_dev_version_js.gch sec_url_filter_conf_js.gch
app_samba_cfg_t.gch manager_dev_version_t.gch sec_url_filter_t.gch
app_sipline_js.gch manager_dsl_diag_js.gch sec_user_firewall_level_t.gch
app_sipline_t.gch manager_dsl_diag_t.gch sec_user_fw_alg_t.gch
app_upnp_conf_js.gch manager_log_conf_js.gch sec_user_macfilter_conf_t.gch
app_upnp_conf_t.gch manager_log_conf_t.gch sec_user_portfilter_conf_t.gch
app_user_ddns_conf_t.gch manager_mirro_js.gch sec_user_url_filter_t.gch
app_user_dmz_conf_t.gch manager_mirro_t.gch self_diagnose_result.gch
app_user_virtual_conf_t.gch manager_svr_stimulate_js.gch self_diagnose_running.gch
app_virtual_conf_js.gch manager_svr_stimulate_t.gch serial_config_gch.gch
app_virtual_conf_t.gch manager_test_over_js.gch serial_config_js.gch
app_voip_BasicControl_js.gch manager_test_over_t.gch serial_config_t.gch
app_voip_BasicControl_t.gch manager_trace_route_js.gch serverapi
app_voip_Dtimer_gch.gch manager_trace_route_t.gch setlang.gch
app_voip_SLCTime_gch.gch manager_user_act_inform_t.gch sntp_gch.gch
app_voip_VoiceProfile_gch.gch manager_user_conf_js.gch socket
app_voip_cid_gch.gch manager_user_conf_t.gch status_dev_info_t.gch
app_voip_cid_js.gch manager_user_dev_conf_t.gch status_dev_info_t_fj.gch
app_voip_cid_t.gch manager_user_dev_ping_t.gch status_dslite_if_t.gch
app_voip_h248_servs_js.gch manager_user_trace_route_t.gch status_dsliteeth_if_t.gch
app_voip_h248_servs_t.gch manager_version_query_t.gch status_ethlan_dhcp_info_t.gch
app_voip_h248auth_js.gch manager_voip_switch_js.gch status_ethwan_if_t.gch
app_voip_h248auth_t.gch manager_voip_switch_t.gch status_interactive_t.gch
app_voip_h248basic_js.gch menu.gch status_itms_info_t.gch
app_voip_h248basic_t.gch menu_BJ.gch status_lan_info_t_user.gch
app_voip_h248endpoint_js.gch menu_admin_jl.gch status_plugin_t.gch
app_voip_h248endpoint_t.gch mirror_gch.gch status_ponlan_info_t.gch
app_voip_service_js.gch mld_proxy_gch.gch status_registerinfo_t.gch
app_voip_service_t.gch mld_snoop_gch.gch status_service_info_t.gch
app_voip_sipadv_js.gch mode_middleware.gch status_smart_info_t.gch
app_voip_sipadv_t.gch net_11n_conf_js.gch status_usb_info_t.gch
app_voip_sipdigitmap_js.gch net_11n_conf_t.gch status_user_registerinfo_t.gch
app_voip_sipdigitmap_t.gch net_arpdetect_js.gch status_user_voip_4less_t.gch
app_voip_sipmed_js.gch net_arpdetect_t.gch status_voip_4less_t.gch
app_voip_sipmed_t.gch net_dhcp_bindonport_js.gch status_voip_phoneNumber_t.gch
app_voip_sippro_js.gch net_dhcp_bindonport_t.gch status_wanstatu_ipv6wansta_t.gch
app_voip_sippro_t.gch net_dhcp_dynamic_FJ_js.gch status_wlaninfo_t.gch
app_voip_sipqos_js.gch net_dhcp_dynamic_js.gch system_busy_t.gch
app_voip_sipqos_t.gch net_dhcp_dynamic_t.gch tele_register_note.gch
app_voip_sipslc_gch.gch net_dhcp_specialdevice_js.gch tele_register_note_fj.gch
app_voip_sipslc_js.gch net_dhcp_specialdevice_t.gch tele_sec_tserver_js.gch
app_voip_sipslc_t.gch net_dhcp_static_js.gch tele_sec_tserver_t.gch
app_voip_vpCallTimer_gch.gch net_dhcp_static_t.gch tele_wait.gch
arp_table_gch.gch net_dhcpcleanlink_gch.gch tele_wanregister.gch
arpdetect_gch.gch net_dhcpcleanlink_js.gch tele_wanregister_AH.gch
atm_oam_gch.gch net_dhcpcleanlink_t.gch tele_wanregister_HB.gch
auth net_dslite_conf_js.gch tele_wanregister_admin_jl.gch
auth_check_gch.gch net_dslite_conf_t.gch tele_wanregister_cq.gch
auth_gch.gch net_dsliteeth_conf_t.gch tele_wanregister_fj.gch
bridge2route_gch.gch net_ethwan_conf_js.gch tele_wanregister_gd.gch
bridge_route.gch net_ethwan_conf_t.gch tele_wanregister_hn2.gch
cgilua net_gateway_js.gch tele_wanregister_lc.gch
cgilua.lua net_gateway_t.gch tele_wanregister_ln.gch
checkSessionToken.gch net_mtu_mtucg_gch.gch tele_wanregister_reset_nopassword.gch
checkSessionToken_log.gch net_mtu_mtucg_js.gch tele_wanregister_reset_password.gch
checktoupper.conf net_mtu_mtucg_t.gch tele_wanregister_sc.gch
cmc_wlanWapiCert_dev_query_t.gch net_prefix_js.gch tele_wanregister_self_diagnose.gch
cmc_wlan_wapicert.gch net_prefix_t.gch tele_wanregister_simcard.gch
common_gch.gch net_qos_congestion_js.gch tele_wanregister_success.gch
common_gch_zxy.gch net_qos_congestion_statisticsYN_t.gch tele_wanregister_switch.gch
common_page net_qos_congestion_statistics_js.gch template.gch
config net_qos_congestion_statistics_t.gch template.lp
dbg net_qos_congestion_t.gch template.lua
dbg.lua net_qos_qostemplate_js.gch template_jl.gch
ddns_client_gch.gch net_qos_qostemplate_t.gch template_multiMedia.lp
ddns_gch.gch net_qos_speed_js.gch template_select.lp
ddns_hostname_gch.gch net_qos_speed_t.gch test_over_gch.gch
ddns_service_gch.gch net_route_static_js.gch top.gch
debug net_route_static_t.gch top_jl.gch
debug_file_js.gch net_sntp_conf_js.gch tr069_business_t.gch
debug_file_t.gch net_sntp_conf_t.gch tr069_registering.gch
dev_ping_gch.gch net_tr069_basic_js.gch tr069_registering_t.gch
dev_restart_t.gch net_tr069_basic_t.gch tr069_servering.gch
devname_gch.gch net_tr069_cafile_js.gch tr069_updating.gch
dhcp_basic_gch.gch net_tr069_cafile_t.gch tr069_updatingfinish.gch
dhcp_bind_gch.gch net_user_dhcp_dynamic_t.gch trace_route_gch.gch
dhcp_bindonport_gch.gch net_user_dhcp_static_t.gch tserver_cfg_gch.gch
dhcp_host_gch.gch net_user_gateway_t.gch tunnel_gch.gch
dhcp_hostinfo_gch.gch net_user_sntp_conf_t.gch upgrade.gch
dhcp_specialdevice_gch.gch net_user_wan_conf_js.gch upgrade_select.gch
diag_netDiag_arpTable_js.gch net_user_wan_conf_t.gch upnp_config_gch.gch
diag_netDiag_arpTable_t.gch net_v6_dhcp_dynamic_js.gch url_write_sn.gch
diag_netDiag_macTable_js.gch net_v6_dhcp_dynamic_t.gch urlsafe.lua
diag_netDiag_macTable_t.gch net_v6_ra_server_js.gch usbbackup_js.gch
diagnose_voice_gch.gch net_v6_ra_server_t.gch usbbackup_t.gch
diagnose_voice_js.gch net_v6_user_dhcp_dynamic_t.gch usbbakrst_gch.gch
diagnose_voice_t.gch net_vlan_port_binding_js.gch usbrestore_js.gch
dmenu.conf net_vlan_port_binding_t.gch usbrestore_t.gch
dmenu_cucc_bj.conf net_wlan_adv_conf_t.gch user_gateway_gch.gch
dmenu_cucc_jl.conf net_wlan_conf_js_user.gch user_info_gch.gch
dmenu_cucc_ln.conf net_wlan_conf_t_user.gch user_register_gch.gch
dmenu_func.gch net_wlan_essid_js.gch v6_br0_dhcp_gch.gch
dmenuapi.lua net_wlan_essid_t.gch v6_dhcpc_gch.gch
dms_cfg_gch.gch net_wlan_secrity_FJ_js.gch v6_dhcpdns_gch.gch
dns_dhcphost_gch.gch net_wlan_secrity_js.gch v6_dhcps_gch.gch
dns_gch.gch net_wlan_secrity_t.gch v_rtpadv_gch.gch
dns_host_gch.gch networkstat_error.gch version_switch.gch
dslite_gch.gch pagefunc_js.gch vlan_if_query.gch
e8_net_qos_basic_js.gch pageinfo_func.gch vlan_port_binding_gch.gch
e8_net_qos_basic_new_js.gch physicstat_error.gch voip_adv.gch
e8_net_qos_basic_new_t.gch pldt_fm_ftpservercfg_gch_p0.gch voip_digitalmap.gch
e8_net_qos_basic_t.gch pon_app_ftp_gch.gch voip_faxmodemrptctrl_gch.gch
e8_net_qos_configuration_js.gch pon_app_ftp_js.gch voip_faxt38_gch.gch
e8_net_qos_configuration_t.gch pon_app_ftp_t.gch voip_fix_gch.gch
e8_net_qos_localapp_js.gch pon_app_voip_cid_gch.gch voip_h248_servs.gch
e8_net_qos_localapp_new_js.gch pon_cltlmt_gch.gch voip_h248endpoint_gch.gch
e8_net_qos_localapp_t.gch pon_ethwancpppuser_gch.gch voip_h248main_gch.gch
e8_net_qos_type_js.gch pon_ftpclient_gch.gch voip_h248main_qos_gch.gch
e8_net_qos_type_t.gch pon_loid_conf_gch.gch voip_h248qos_gch.gch
e8_qos_basic_new_gch.gch pon_loid_conf_lc_gch.gch voip_h248qos_js.gch
e8_qos_qb_gch.gch pon_manager_hltmode_conf_js.gch voip_h248qos_t.gch
e8_qos_qb_new_gch.gch pon_manager_hltmode_conf_t.gch voip_h248sub_gch.gch
e8_simcard_loid_t.gch pon_manager_led_control_gch.gch voip_linevmedai_gch.gch
e8_status_wlan_info_t.gch pon_manager_led_control_js.gch voip_protocal_gch.gch
epon_status_lan_info_t.gch pon_manager_led_control_t.gch voip_rtp_gch.gch
epon_status_link_info_t.gch pon_monitor_config_js.gch voip_rtp_qos_gch.gch
epon_status_link_info_t_user.gch pon_monitor_config_t.gch voip_rtpred_gch.gch
equip_gch.gch pon_monitorconfig_gch.gch voip_service.gch
erroutput.lua pon_net_LCloid_conf_js.gch voip_sip_gch.gch
ethwancbridge_gch.gch pon_net_backloop_conf_gch.gch voip_sip_qos_gch.gch
ethwancip_gch.gch pon_net_backloop_conf_js.gch voip_sip_server_gch.gch
ethwancppp_gch.gch pon_net_backloop_conf_t.gch voip_sippro.gch
ethwanctype_gch.gch pon_net_cltlmt_js.gch voip_sipqos_gch.gch
fm_ftpservercfg_gch.gch pon_net_cltlmt_t.gch voip_switch_gch.gch
fm_ftpuser_gch.gch pon_net_loid_conf_js.gch voip_voiceproc_gch.gch
frGo2SystemBusy.gch pon_net_loid_conf_t.gch voip_vpPhyInterface_gch.gch
frRequestTimeout.gch pon_net_ponloid_js.gch voip_vpcallfeature_gch.gch
frame.gch pon_net_ponloid_t.gch voip_vpcodec_gch.gch
ftpclient_gch.gch pon_net_user_ponloid_t.gch voip_vpdtmf_gch.gch
function_module pon_net_wanuser_conf_js.gch wan_dsl_query.gch
fw_alg_gch.gch pon_net_wanuser_conf_t.gch wan_eth_query.gch
fw_base_conf_gch.gch pon_net_wlan_conf_js.gch wan_func.gch
fw_base_gch.gch pon_net_wlan_conf_t.gch wan_lan_query.gch
fw_dmz_gch.gch pon_net_wlan_guest_js.gch wan_query.gch
fw_ip_gch.gch pon_net_wlan_guest_t.gch wan_tty_query.gch
fw_level_gch.gch pon_net_wlan_wps_js.gch web_config_file
fw_mac_base_gch.gch pon_net_wlan_wps_t.gch wlanWapiCert_js.gch
fw_mac_gch.gch pon_simcard_newcardreboot.gch wlanWapiCert_t.gch
fw_pm_gch.gch pon_simcard_notonline.gch wlan_cmc_config.gch
fw_url_gch.gch pon_simcard_writefail.gch wlan_config.gch
global.gch pon_statistics_lan_info_t.gch wlan_config_gch.gch
global.lua pon_statistics_wan_info_t.gch wlan_config_pri.gch
gotoshop.gch pon_statistics_wlan_info_t.gch wlan_driver_gch.gch
gotoshop_getURL.gch pon_status_alarm_info_t.gch wlan_essid.gch
gpon_status_lan_info_t.gch pon_status_gemport_info_t.gch wlan_essid_adv.gch
gpon_status_link_info_t.gch pon_status_stat_info_t.gch wlan_essid_getSSIDbyIndex_gch.gch
gpon_status_link_info_t_user.gch pon_user_statistics_lan_info_t.gch wlan_psk_gch.gch
gpon_status_link_t.gch pon_user_statistics_wlan_info_t.gch wlan_security.gch
help_t.gch pon_voip_cid_sip_gch.gch wlan_wapi_gch.gch
hidden_enableall_input.gch pon_voip_renew_gch.gch wlan_wepkey_gch.gch
hidden_factory_switch.gch pon_voip_renew_js.gch write_sninterface_js.gch
hidden_forcepush_switch.gch pon_voip_renew_t.gch write_sninterface_t.gch
hidden_version_switch.gch pon_voip_siprenew_js.gch
hltmode_gch.gch pon_voip_siprenew_t.gch
/home/httpd # cat hidden_forcepush_switch.gch
<script language="javascript">
function pageSetValue(flag)
{
getObj("ForcePushFlg").value = flag;
}
function pageSubmit(flag)
{
pageSetValue(flag);
setValue("IF_ACTION","apply");
getObj("fSubmit").submit();
}
function pageLoad(url)
{
getObj("fSubmit").action = url;
var errstr= getValue("IF_ERRORSTR");
var errpara = getValue("IF_ERRORPARAM");
}
</script>
<%
IMPORT FILE "common_gch.gch";
var FP_ERRORSTR = "SUCC";
var FP_PARANUM = 1;
var FP_HANDLE;
var FP_INSTNUM = 1;
var FP_IDENTITY = "IGD";
var FP_OBJNAME = "OBJ_ForcePushFlag_ID";
var PARA[1] =
{
"ForcePushFlg"
};
create_form_start("fSubmit", "");
createBasicHidden();
var FP_ACTION = request("IF_ACTION");
if(FP_ACTION == "apply")
{
log_gch("++++++++++apply+++++++++++++");
FP_HANDLE = create_paralist();
setpara(FP_HANDLE, PARA[0]);
set_inst(FP_HANDLE, "OBJ_ForcePushFlag_ID", "IGD");
}
FP_HANDLE = create_paralist();
get_inst(FP_HANDLE, FP_OBJNAME, FP_IDENTITY);
create_hidden_para(FP_HANDLE, PARA, FP_PARANUM);
var forechpush = get_para(FP_HANDLE, "ForcePushFlg");
destroy_paralist(FP_HANDLE);
getDisplayInstError(FP_ERRORSTR);
create_form_end();
%>
<style>
body{text-align:center; margin:0 auto;}
a{ color:blue;}
</style>
<p>褰撳墠鐘舵€?<a><%if ("1" == forechpush){%>鎵撳紑<%}else{%>鍏抽棴<%}%></a></p>
<p>娉ㄥ唽椤甸潰鎺ㄩ€?
<input type="button" name="tForcePushFlg" value="鎵撳紑" onclick="pageSubmit(1);"/>
<input type="button" name="tForcePushFlg" value="鍏抽棴" onclick="pageSubmit(0);"/>
</p>
<p>*鎿嶄綔鍚庣郴缁熶細閲嶅惎</p>