Thread: [Script request] Huawei HG552e
View Single Post
  #1  
Old 13.09.2017, 16:39
dante35 dante35 is offline
Modem User
  
Join Date: Sep 2017
Location: Turkey
Posts: 1
Angry Huawei HG552e
Hi
I use Huawei HG552e,
i dont know why but Upnp only works for port forwarding.
I've recorded LiveHeader in raw mode(nomal mode didnt recorded) but didnt work.
I have edited code like this.
Spoiler:
Code:
[[[HSRC]]]
    [[[STEP]]]
        [[[REQUEST raw="true"]]]
        GET /html/index.asp HTTP/1.1
        Host: %%%routerip%%%
        user-agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
        accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
        accept-language: tr
        accept-encoding: gzip, deflate
        cookie: Language=tk; FirstMenu=User_0; SecondMenu=User_0_0; ThirdMenu=User_0_0_0; SessionID_R3=8a3x2QwTfd0Me6ecIZ19rTkMyWLqB79BdnzCn6LWl7rGsLVUWE9tGBjsqph5G8mhtvf8q8ap7hK5VAJ4gwyCd8rX9lI9Fh4lyM5GrnRZG4iRHCX00vR1HaUIRhL1D7Yw; FirstLogin=Second
        dnt: 1
        connection: keep-alive
        upgrade-żnsecure-requests: 1
        [[[/REQUEST]]]
    [[[/STEP]]]

    [[[STEP]]]
        [[[REQUEST raw="true"]]]
        GET /html/ajaxref/updatachallangeajax.asp HTTP/1.1
        Host: %%%routerip%%%
        user-agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
        accept: */*
        accept-language: tr
        accept-encoding: gzip, deflate
        cookie: Language=tk; FirstMenu=User_0; SecondMenu=User_0_0; ThirdMenu=User_0_0_0; SessionID_R3=8a3x2QwTfd0Me6ecIZ19rTkMyWLqB79BdnzCn6LWl7rGsLVUWE9tGBjsqph5G8mhtvf8q8ap7hK5VAJ4gwyCd8rX9lI9Fh4lyM5GrnRZG4iRHCX00vR1HaUIRhL1D7Yw; FirstLogin=Second
        dnt: 1
        connection: keep-alive
        [[[/REQUEST]]]
        [[[RESPONSE keys="challange"]]]
	<html><head></head><body>"(.*?)"
        </body></html>
	[[[/RESPONSE]]]
    [[[/STEP]]]

    [[[STEP]]]
        [[[REQUEST raw="true"]]]
        POST /index/login.cgi HTTP/1.1
        Host: %%%routerip%%%
        user-agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
        accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
        accept-language: tr
        accept-encoding: gzip, deflate
        content-type: application/x-www-form-urlencoded
        content-length: 119
        cookie: Language=tk; FirstMenu=User_4; SecondMenu=User_4_0; ThirdMenu=User_4_0_0; SessionID_R3=DrtRBJjzrYu6IkBI1dx4KD93A8e6wzdBalBYkA6EvuXvzIcook1yNIED1WCdiJ7hemNSocpV30MytwaGpVLMglbPQEAcsOU4I1Fimqb2bbM3b8Deaq5sUAnI4OQHXgBJ; FirstLogin=Second
        dnt: 1
        connection: keep-alive
        upgrade-żnsecure-requests: 1

Username=%%%user%%%&Password=Password=%%%BASE64::::pass%%%+%%%challange%%%&challange=%%%challange%%%
        [[[/REQUEST]]]
    [[[/STEP]]]

 
    [[[STEP]]]
        [[[REQUEST raw="true"]]]
        GET /html/management/reset.asp HTTP/1.1
        Host: %%%routerip%%%
        user-agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
        accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
        accept-language: tr
        accept-encoding: gzip, deflate
        cookie: Language=tk; FirstMenu=User_0; SecondMenu=User_0_0; ThirdMenu=User_0_0_0; SessionID_R3=8a3x2QwTfd0Me6ecIZ19rTkMyWLqB79BdnzCn6LWl7rGsLVUWE9tGBjsqph5G8mhtvf8q8ap7hK5VAJ4gwyCd8rX9lI9Fh4lyM5GrnRZG4iRHCX00vR1HaUIRhL1D7Yw; FirstLogin=Second
        dnt: 1
        connection: keep-alive
        upgrade-żnsecure-requests: 1
        [[[/REQUEST]]]
    [[[/STEP]]]

    [[[STEP]]]
        [[[REQUEST raw="true"]]]
        GET /lang/reset.res HTTP/1.1
        Host: %%%routerip%%%
        user-agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
        accept: */*
        accept-language: tr
        accept-encoding: gzip, deflate
        cookie: Language=tk; FirstMenu=User_0; SecondMenu=User_0_0; ThirdMenu=User_0_0_0; SessionID_R3=8a3x2QwTfd0Me6ecIZ19rTkMyWLqB79BdnzCn6LWl7rGsLVUWE9tGBjsqph5G8mhtvf8q8ap7hK5VAJ4gwyCd8rX9lI9Fh4lyM5GrnRZG4iRHCX00vR1HaUIRhL1D7Yw; FirstLogin=Second
        dnt: 1
        connection: keep-alive
        [[[/REQUEST]]]
    [[[/STEP]]]

    [[[STEP]]]
        [[[REQUEST raw="true"]]]
        POST /html/management/reboot.cgi?RequestFile=/html/management/reset.asp HTTP/1.1
        Host: %%%routerip%%%
        user-agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
        accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
        accept-language: tr
        accept-encoding: gzip, deflate
        content-type: application/x-www-form-urlencoded
        content-length: 43
        cookie: Language=tk; FirstMenu=User_0; SecondMenu=User_0_0; ThirdMenu=User_0_0_0; SessionID_R3=8a3x2QwTfd0Me6ecIZ19rTkMyWLqB79BdnzCn6LWl7rGsLVUWE9tGBjsqph5G8mhtvf8q8ap7hK5VAJ4gwyCd8rX9lI9Fh4lyM5GrnRZG4iRHCX00vR1HaUIRhL1D7Yw; FirstLogin=Second
        dnt: 1
        connection: keep-alive
        upgrade-żnsecure-requests: 1

csrf_token=rrDhZLdRERqb7QQtRnIy3YdbCczVSYv0
        [[[/REQUEST]]]
    [[[/STEP]]]

    [[[STEP]]]
        [[[REQUEST raw="true"]]]
        GET /lang/pubinfo.res HTTP/1.1
        Host: %%%routerip%%%
        user-agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
        accept: */*
        accept-language: tr
        accept-encoding: gzip, deflate
        cookie: Language=tk; FirstMenu=User_0; SecondMenu=User_0_0; ThirdMenu=User_0_0_0; SessionID_R3=8a3x2QwTfd0Me6ecIZ19rTkMyWLqB79BdnzCn6LWl7rGsLVUWE9tGBjsqph5G8mhtvf8q8ap7hK5VAJ4gwyCd8rX9lI9Fh4lyM5GrnRZG4iRHCX00vR1HaUIRhL1D7Yw; FirstLogin=Second
        dnt: 1
        connection: keep-alive
        [[[/REQUEST]]]
    [[[/STEP]]]

    [[[STEP]]]
        [[[REQUEST raw="true"]]]
        POST /index/getRebootRes.cgi HTTP/1.1
        Host: %%%routerip%%%
        user-agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
        accept: */*
        accept-language: tr
        accept-encoding: gzip, deflate
        cookie: Language=tk; FirstMenu=User_0; SecondMenu=User_0_0; ThirdMenu=User_0_0_0; SessionID_R3=8a3x2QwTfd0Me6ecIZ19rTkMyWLqB79BdnzCn6LWl7rGsLVUWE9tGBjsqph5G8mhtvf8q8ap7hK5VAJ4gwyCd8rX9lI9Fh4lyM5GrnRZG4iRHCX00vR1HaUIRhL1D7Yw; FirstLogin=Second
        dnt: 1
        connection: keep-alive
        content-length: 0
        [[[/REQUEST]]]
    [[[/STEP]]]

[[[/HSRC]]]


I looked at index.asp and device uses complex encryption.
part of index.asp:
Spoiler:
Code:
var cookie = "FirstMenu=" + firmenu + "; path=/";
document.cookie = cookie;
var cookie = "SecondMenu=" + secmenu + "; path=/";
document.cookie = cookie;
var cookie = "ThirdMenu=" + thirdmenu + "; path=/";
document.cookie = cookie;
var date = new Date();
date.setTime(date.getTime()+(365*24*60*60*1000));
var expires = "; expires="+date.toGMTString();
var lantype = getSelectVal('Language');
if (0 == lantype)
{
var cookie = "Language=tk" + expires + "; path=/";
}
else
{
var cookie = "Language=en" + expires + "; path=/";
}
document.cookie = cookie;
var form = new webSubmitForm();
form.setAction('/index/login.cgi');
form.addParameter('Username', Username.value);
var dbpass = base64encode(SHA256(Password.value));
var realpass = dbpass + challange;
form.addParameter('Password', SHA256(realpass));
form.addParameter('challange', challange);
form.submit();
return true;
}
function SubmitFormWithChallange(type)
{
var xmlhttp = CreateXMLHttp();
xmlhttp.onreadystatechange = function()
{
if (xmlhttp.readyState == 4)
{
if (xmlhttp.status == 200)
{
challange = eval(xmlhttp.responseText);
SubmitForm(type);
}
}
}
xmlhttp.open("get",'/html/ajaxref/updatachallangeajax.asp',true);
xmlhttp.send(null);
}

updatachallangeajax.asp output:
Spoiler:
Code:
<html><head></head><body>"wL1IxPgYioaNOiWkrftX"
</body></html>

So i need help please
Reply With Quote