這裡有編譯好的win32程序http://t.cn/zQAJ6do
研究了下HUST WIRELESS的網頁登錄;抓了幾個包看了下,後台是銳捷的SAM無誤,界面的js竟然用的是中國移動的-。-
工作方式很詭異:
- 訪問任意網址時AP返回一個頁面,用js跳轉到index.jsp;通過GET方式提交了一堆參數,大概是SHA1過的,大概還是加了鹽的,反正沒試出來;嘛,╮(╯-╰)╭
1234567891011121314151617181920<script>self.location.href='http://172.18.18.35/eportal/index.jsp?wlanuserip=c46ad9a5e36dc394ffdd85f37470f595&wlanacname=18260f9e92a595cf3d778ed7f6ead8a8&ssid=37ac66ecf843a939bdf3991faaee1a4c&nasip=8df3b80e79b397a516656c1e9cf9cb08&mac=e8349ecfc6e6b9de758d2ff9054f6449&t=wireless-v2&url=93b5fca3367a258ead66aae840fda10f'</script><HTML xmlns="http://www.w3.org/1999/xhtml"><HEAD><!--<?xml version="1.0" encoding="UTF-8"?><WISPAccessGatewayParam xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="http://www.acmewisp.com/WISPAccessGatewayParam.xsd"><Proxy><MessageType>110</MessageType><NextURL>http://172.18.18.35/eportal/index.jsp?wlanuserip=c46ad9a5e36dc394ffdd85f37470f595&wlanacname=18260f9e92a595cf3d778ed7f6ead8a8&ssid=37ac66ecf843a939bdf3991faaee1a4c&nasip=8df3b80e79b397a516656c1e9cf9cb08&mac=e8349ecfc6e6b9de758d2ff9054f6449&t=wireless-v2&url=93b5fca3367a258ead66aae840fda10f</NextURL><ResponseCode>200</ResponseCode></Proxy></WISPAccessGatewayParam>--></HEAD><BODY><input type="hidden" name="wlanacname" value="Ruijie_Ac_001aa9"><input type="hidden" name="wlanuserip" value="10.10.50.167"><input type="hidden" name="portalurl" value="http://172.18.18.35/eportal/index.jsp"></BODY></HTML>
這個index.jsp再重定向到./eportal/userV2.do?method=login,並且將GET方式傳遞給index.jsp的參數都以隱藏表單元素的方式藏在了返回的網頁里:
12345678<form name="userV2Form" method="post" action="/eportal/userV2.do?method=login" onsubmit="return checkForm();" id="loginForm"><input type="hidden" name="wlanuserip" value="1a6ff81049ec892dd2d9e3a55609efe2" id="wlanuserip"><input type="hidden" name="wlanacname" value="18260f9e92a595cf3d778ed7f6ead8a8" id="wlanacname"><input type="hidden" name="nasip" value="8df3b80e79b397a516656c1e9cf9cb08" id="nasip"><input type="hidden" name="url" value="http://www.baidu.com/" id="url"><input type="hidden" name="ssid" value="37ac66ecf843a939bdf3991faaee1a4c" id="ssid"><input type="hidden" name="mac" value="e8349ecfc6e6b9de758d2ff9054f6449" id="mac"><input type="hidden" name="t" value="wireless-v2" id="t">
- submit時將隱藏表單元素和用戶輸入的用戶名密碼都POST到/eportal/userV2.do?method=login,都特么是明文的0.0,你特么把ip啊mac啊都加密了,用戶名密碼都特么是明文的搞毛啊(* ̄▽ ̄*)
- 若登陸成功則返回一個成功結果頁,包含一個重定向(貌似用的也是中國移動的),告訴你上線成功
下線是GET方式,提交到./eportal/userV2.do?method=logout,網頁提交的只有三個參數(nasip, mac, ),反正我是把上一步隱藏的input里的所有的參數都提交了,好像沒出問題- -正常下線了。
finally,python腳本,方便命令行操作,可以加-s保存密碼,-c清除保存的密碼
窩的python依然寫得非常丑,請笑納www;之所以用httplib2而不是urllib2是因為那個用得不順手而且不能gzip → →這裡用urllib2的版本http://t.cn/zQAJ6do
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 |
#!/usr/bin/python # -*- coding:utf-8 -*- # HUST-WIRELESS autologin script # Contributor: # fffonion <fffonion#gmail.com> import re import os import sys import base64 import getpass try: import httplib2 except: raw_input('Error: httplib2 not found.\nTry \'pip install httplib2\' to install, or copy httplib2.pyc to your PYTHON_PATH folder.') os._exit(1) __version__=1.3 uid,pswd,save_pswd='','',False session_file='.HUST-WIRELESS.session' id_file='.HUST-WIRELESS.id' testurl='http://www.baidu.com/' login_uri='/eportal/userV2.do?method=login' logout_uri='/eportal/userV2.do?method=logout' header={'Content-Type':'application/x-www-form-urlencoded'} #handle sys.argv if os.path.exists(id_file): uid,pswd=base64.decodestring(open(id_file).read()).split(',') if pswd!='': save_pswd=True if len(sys.argv)>1: if sys.argv[1]=='help' or sys.argv[1]=='-h' or sys.argv[1]=='--help': #help message print('HUST-WIRELESS login utilty writing in python using httplib2\nUsage:\tloginHUST-WIRELESS.py [-sc]\n\tloginHUST-WIRELESS.py username [-sc]\n\tloginHUST-WIRELESS.py username pswd [-sc]\nArgs:\t-s\tSave password (username is automatically saved)\n\t-c\tClean saved username and password\nNotes:\tSaved pswd is only softly protected, be cautious!\n\tCLI input overrides saved account.') os._exit(0) if len(sys.argv)>2 and not sys.argv[2].startswith('-'): pswd= sys.argv[2] if not sys.argv[1].startswith('-'):#judge if is extra args if uid!=sys.argv[1]:#new username? pswd=''#clean saved uid=sys.argv[1] if sys.argv[-1].startswith('-'): if 's' in sys.argv[-1]:#save save_pswd=True if 'c' in sys.argv[-1]:#clean if os.path.exists(id_file): os.remove(id_file) print('Account info deleted.') else: print('No account info to delete.') #test some url ht=httplib2.Http() resp,ct=ht.request(testurl) #open('z:\\123.htm','a').write(ct) # url being wanted is encrypted here, need more research url=re.findall('self.location.href=\'([^\']+)\'',ct) if url==[]: #logout process #read session file if not os.path.exists(session_file): print('You\'ve connected to Internet, but it seems you are not using HUST-WIRELESS ?') else: host_url,args=open(session_file,'r').read().split(',') #logout resp,ct=ht.request('%s%s&%s'%(host_url,logout_uri,args),method='GET') if re.findall('window\.location\.replace\("\.\/userV2\.do\?method=goToLogout"\);',ct)!=[]: print('Logout succeed!') #session no longer avaliable if os.path.exists(session_file): os.remove(session_file) else: #login process url=url[0] #split ip and path post_url,query_args=url.split('?') host_url=post_url.replace('/eportal/index.jsp','')#ip address #prompt for input uid=uid or raw_input('username >') pswd=pswd or getpass.getpass('password for %s >'%uid) #save pswd and id open(id_file,'w').write(base64.encodestring(','.join([uid,save_pswd and pswd or '']))) #POST args without url, we don't need that formdata='username=%s&pwd=%s&validcode=no_check&phone=&authorizationCode=®ist_validcode=&phonenum=®ist_validcode_sm='%(uid,pswd) #do the POST resp,ct=ht.request('%s%s&aram=true&fromHtml=true&userAgentForLogin=0&%s'%(host_url,login_uri,query_args),method='POST',headers=header,body=formdata) #test if successful cryptarg=re.findall('window.location.replace\("\.\/userV2\.do\?method=goToAuthResult&(\mac\=.+\&wlanuserip\=.+&nasip=.+)\&t',ct) if cryptarg!=[]: print('Login succeed!') #write session args to file for logout open(session_file,'w').write(','.join([host_url,cryptarg[0]])) else: errmsg=re.findall('errorMessage.innerHTML = \'<strong>(.+)</strong>',ct)[0] print('Login failed: %s'%errmsg) if len(sys.argv)==1: raw_input('Press Enter to exit...') |
看不懂。
下載那個exe雙擊就可以了