Open OJ7 opened 4 years ago
Okay this seems relatively straightforward. The only two keys to the puzzle are the cookie string and the signed HTTPS request.
There are two things you can try out right now.
import requests
url = 'http://10.0.0.100/cgi-bin/luci/;stok=/login?form=auth'
data = {'operation': 'read'}
cookies = {
'sysauth': 'ab80bb5727e1aa2850b259863c6218bb'
}
headers = {
'Referer': 'http://10.0.0.100/webpages/index.html',
'Origin': 'http://10.0.0.100',
'Content-Type': 'application/json'
}
r = requests.post(url, data=data, cookies=cookies, headers=headers)
print(r.text)
print(r.status_code)
print(r.cookies)
print(r.headers)
sysauth
cookie Just got a chance to try this out now. FYI I re-ran the network inspector to get new cookies before trying this and used those instead.
Using the first one, I get the following:
Failed to execute call dispatcher target for entry '/login'.
The called action terminated with an exception:
?:0: attempt to index a nil value
stack traceback:
[C]: in function 'assert'
?: in function 'dispatch'
?: in function <?:218>
500
<RequestsCookieJar[]>
{'Connection': 'close', 'Transfer-Encoding': 'chunked', 'Content-Type': 'text/plain', 'Cache-Control': 'no-cache', 'Expires': '0'}
If I change the url
to http://10.0.0.100/webpages/index.html
<!DOCTYPE html><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="apple-touch-fullscreen" content="yes"><meta name="apple-mobile-web-app-capable" content="yes"><meta name="apple-mobile-web-app-status-bar-style" content="black"><meta name="format-detection" content="telephone=no"><link rel="shortcut icon" href="favicon.ico"><link href="themes/default/css/perfect-scrollbar.css" rel="stylesheet"><link href="themes/default/css/total.css" rel="stylesheet"><!--[if lt IE 9]>
<link type="text/css" href="themes/default/css/total.ie8.css" rel="stylesheet" />
<![endif]--><title id="title">Opening...</title><noscript><meta http-equiv="refresh" content="0; url=error.html"/></noscript></head><body><div id="main-container"></div><script src="js/libs/jquery.min.js"></script><script src="js/libs/jquery.backgroundSize.js"></script><script src="js/libs/base64.js"></script><script src="js/libs/encrypt.js"></script><script src="js/libs/cryptoJS.min.js"></script><script src="js/libs/tpEncrypt.js"></script><!--[if lt IE 9]><script src="js/libs/respond.min.js"></script><![endif]--><script src="js/app/url.js"></script><script src="js/su/char.js"></script><script src="js/su/language.js"></script><script>try{$.su.language=new $.su.Language}catch(a){location.href="./error.html"}</script><script src="js/su/frame.js"></script><script>$(document).ready(function(n){App=new $.su.App,App.setContainer("main-container"),App.init().done(function(){App.launch()})})</script></body></html>
200
<RequestsCookieJar[]>
{'Connection': 'close', 'ETag': '"eb-698-5f64aada"', 'Last-Modified': 'Fri, 18 Sep 2020 12:40:58 GMT', 'Date': 'Tue, 19 Jan 2021 13:37:24 GMT', 'Content-Type': 'text/html', 'Content-Length': '1688'}
The second script, when ran as-is, got stuck on Retrieving PublicKey...
.
I wasn't sure how to configure it but when attempting to put in my password at the end of the file, I got:
[VR600] Loading wireless clients...
Retrieving PublicKey...
Pub key fetch failed
Failed to get AuthTokens. Retrying in 3 secs.
Retrieving PublicKey...
Pub key fetch failed
Just got a chance to try this out now. FYI I re-ran the network inspector to get new cookies before trying this and used those instead.
Using the first one, I get the following:
Failed to execute call dispatcher target for entry '/login'.
The called action terminated with an exception:
?:0: attempt to index a nil value
stack traceback:
[C]: in function 'assert'
?: in function 'dispatch'
?: in function <?:218>
500
<RequestsCookieJar[]>
{'Connection': 'close', 'Transfer-Encoding': 'chunked', 'Content-Type': 'text/plain', 'Cache-Control': 'no-cache', 'Expires': '0'}
If I change the url
to http://10.0.0.100/webpages/index.html
<!DOCTYPE html><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="apple-touch-fullscreen" content="yes"><meta name="apple-mobile-web-app-capable" content="yes"><meta name="apple-mobile-web-app-status-bar-style" content="black"><meta name="format-detection" content="telephone=no"><link rel="shortcut icon" href="favicon.ico"><link href="themes/default/css/perfect-scrollbar.css" rel="stylesheet"><link href="themes/default/css/total.css" rel="stylesheet"><!--[if lt IE 9]>
<link type="text/css" href="themes/default/css/total.ie8.css" rel="stylesheet" />
<![endif]--><title id="title">Opening...</title><noscript><meta http-equiv="refresh" content="0; url=error.html"/></noscript></head><body><div id="main-container"></div><script src="js/libs/jquery.min.js"></script><script src="js/libs/jquery.backgroundSize.js"></script><script src="js/libs/base64.js"></script><script src="js/libs/encrypt.js"></script><script src="js/libs/cryptoJS.min.js"></script><script src="js/libs/tpEncrypt.js"></script><!--[if lt IE 9]><script src="js/libs/respond.min.js"></script><![endif]--><script src="js/app/url.js"></script><script src="js/su/char.js"></script><script src="js/su/language.js"></script><script>try{$.su.language=new $.su.Language}catch(a){location.href="./error.html"}</script><script src="js/su/frame.js"></script><script>$(document).ready(function(n){App=new $.su.App,App.setContainer("main-container"),App.init().done(function(){App.launch()})})</script></body></html>
200
<RequestsCookieJar[]>
{'Connection': 'close', 'ETag': '"eb-698-5f64aada"', 'Last-Modified': 'Fri, 18 Sep 2020 12:40:58 GMT', 'Date': 'Tue, 19 Jan 2021 13:37:24 GMT', 'Content-Type': 'text/html', 'Content-Length': '1688'}
The second script, when ran as-is, got stuck on Retrieving PublicKey...
.
I wasn't sure how to configure it but when attempting to put in my password at the end of the file, I got:
[VR600] Loading wireless clients...
Retrieving PublicKey...
Pub key fetch failed
Failed to get AuthTokens. Retrying in 3 secs.
Retrieving PublicKey...
Pub key fetch failed
Hello,
I'm looking for the same thing. I got the first part working by only changing the data variable from
data = {'operation': 'read'}
to
data = '{"operation":"read"}'
It looks like that the serialization is not working properly in python (or the router implemented it's own Json serialiser).
The second part also fails for me on the retrieving the PublicKey. The HttpPost in method _get_pub_key in VR600TplinkDeviceScanner returns a 404 error.
======================== I did some more digging. The steps that are written in the CONTRIBUTING.md is missing a part. Once I open the management web-page, there is a request send to get "keys" which will contain 2 passwords that (i think) are used to encrypt the password (see attached keys.har.txt ).
The management web-page for the Deco M9 only asks for a password, no username is required.
A little late to reply, but if you're still interested, try the script mentioned in Issue 5 and let me know if the script worked
Hi @menahishayan
Sorry for the very late reply, I had forgotten about this project. I have picked this up and run the c6_test.py script from Issue 5).
The requests in that script look to be matching with the requests for the M9, but it still fails on retrieving auth tokens. I think the issue is that the body the "/cgi-bin/luci/;stok=/login?form=login" request is not encrypted. The keys to encrypt the body can be retrieved by a request to "/cgi-bin/luci/;stok=/login?form=keys".
@OJ7 @bvermolen If you are still looking for a client for Deco M9 - I have the client which supports it https://github.com/AlexandrErohin/TP-Link-Archer-C6U
Items clicked:
Network Map button
Advanced button
10.0.0.100.har.zip