i have more questions than answers

router/refereapi.md

@@ -0,0 +1,146 @@
+
+
+# Request 1 - /webserver/token
+- request:
+```bash
+curl 'http://192.168.1.1/api/webserver/token' \
+  -H 'Accept: */*' \
+  -H 'Accept-Language: en-US,en' \
+  -H 'Connection: keep-alive' \
+  -H 'Cookie: SessionID=Cs0LUomy6A4rf2fcN0oLa3sYHEyw6MGbd5F6xZC0HUsXdF0zOcerUZdZ3fksRRLEpf8gnUEhHzClsr0paCjKaYaSamwkJwX7W4tAUxVKukkGQZ4Q0fFygbkknQ9MsIwa' \
+  -H 'Referer: http://192.168.1.1/html/home.html' \
+  -H 'Sec-GPC: 1' \
+  -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36' \
+  -H 'X-Requested-With: XMLHttpRequest' \
+  -H '_ResponseSource: Broswer' \
+  --compressed \
+  --insecure
+```
+- response:
+```xml
+<?xml version="1.0" encoding="UTF-8"?><response><token>7usoFzYsT0SDyVi9rUyNTr5ZBH0lw1zTL4J9WuCLB0QTM0A0mbivNZO1boz0z8D3</token></response>
+```
+
+# Request 2 - /user/challenge_login
+- request:
+```bash
+curl 'http://192.168.1.1/api/user/challenge_login' \
+  -H 'Accept: */*' \
+  -H 'Accept-Language: en-US,en' \
+  -H 'Connection: keep-alive' \
+  -H 'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' \
+  -H 'Cookie: SessionID=Cs0LUomy6A4rf2fcN0oLa3sYHEyw6MGbd5F6xZC0HUsXdF0zOcerUZdZ3fksRRLEpf8gnUEhHzClsr0paCjKaYaSamwkJwX7W4tAUxVKukkGQZ4Q0fFygbkknQ9MsIwa' \
+  -H 'Origin: http://192.168.1.1' \
+  -H 'Referer: http://192.168.1.1/html/home.html' \
+  -H 'Sec-GPC: 1' \
+  -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36' \
+  -H 'X-Requested-With: XMLHttpRequest' \
+  -H '_ResponseSource: Broswer' \
+  -H '__RequestVerificationToken: L4J9WuCLB0QTM0A0mbivNZO1boz0z8D3' \
+  --data-raw '<?xml version="1.0" encoding="UTF-8"?><request><username>admin</username><firstnonce>c6c4acd3555a04d0c28fe6fa591db567906e9a0fb961ca1232b2974e43de4417</firstnonce><mode>1</mode></request>' \
+  --compressed \
+  --insecure
+```
+- payload:
+```xml
+<?xml version="1.0" encoding="UTF-8"?><request><username>admin</username><firstnonce>c6c4acd3555a04d0c28fe6fa591db567906e9a0fb961ca1232b2974e43de4417</firstnonce><mode>1</mode></request>
+```
+- response:
+```xml
+<?xml version="1.0" encoding="UTF-8"?><response><iterations>100</iterations><servernonce>c6c4acd3555a04d0c28fe6fa591db567906e9a0fb961ca1232b2974e43de44179M0rKTb0c0BMElXpX3gYalymZmYf3UHZ</servernonce><modeselected>1</modeselected><salt>e887b38d6c96bdd9a4cd5e50c94afd09290cff8dca6a857eb77e593f93de8c1a</salt><newType>0</newType></response>
+```
+
+# Request 3 - /time/timeout
+- request:
+```bash
+curl 'http://192.168.1.1/api/time/timeout' \
+  -H 'Accept: */*' \
+  -H 'Accept-Language: en-US,en' \
+  -H 'Connection: keep-alive' \
+  -H 'Cookie: SessionID=Cs0LUomy6A4rf2fcN0oLa3sYHEyw6MGbd5F6xZC0HUsXdF0zOcerUZdZ3fksRRLEpf8gnUEhHzClsr0paCjKaYaSamwkJwX7W4tAUxVKukkGQZ4Q0fFygbkknQ9MsIwa' \
+  -H 'Referer: http://192.168.1.1/html/home.html' \
+  -H 'Sec-GPC: 1' \
+  -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36' \
+  -H 'X-Requested-With: XMLHttpRequest' \
+  -H '_ResponseSource: Broswer' \
+  --compressed \
+  --insecure
+```
+- response:
+```xml
+<?xml version="1.0" encoding="UTF-8"?><response><timeout>5</timeout></response>
+```
+
+# Request 4 - /user/authentication_login
+- request:
+```bash
+curl 'http://192.168.1.1/api/user/authentication_login' \
+  -H 'Accept: */*' \
+  -H 'Accept-Language: en-US,en' \
+  -H 'Connection: keep-alive' \
+  -H 'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' \
+  -H 'Cookie: SessionID=Cs0LUomy6A4rf2fcN0oLa3sYHEyw6MGbd5F6xZC0HUsXdF0zOcerUZdZ3fksRRLEpf8gnUEhHzClsr0paCjKaYaSamwkJwX7W4tAUxVKukkGQZ4Q0fFygbkknQ9MsIwa' \
+  -H 'Origin: http://192.168.1.1' \
+  -H 'Referer: http://192.168.1.1/html/home.html' \
+  -H 'Sec-GPC: 1' \
+  -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36' \
+  -H 'X-Requested-With: XMLHttpRequest' \
+  -H '_ResponseSource: Broswer' \
+  -H '__RequestVerificationToken: 7gMDssgEmFJrA0CrPvudLIdlwOK061Gf' \
+  --data-raw '<?xml version="1.0" encoding="UTF-8"?><request><clientproof>a35c26ecc35708fdbfd2b51c11344aa945e7b0542906c4f1b25edc607d05c4c7</clientproof><finalnonce>c6c4acd3555a04d0c28fe6fa591db567906e9a0fb961ca1232b2974e43de44179M0rKTb0c0BMElXpX3gYalymZmYf3UHZ</finalnonce></request>' \
+  --compressed \
+  --insecure
+```
+- payload:
+```xml
+<?xml version="1.0" encoding="UTF-8"?><request><clientproof>a35c26ecc35708fdbfd2b51c11344aa945e7b0542906c4f1b25edc607d05c4c7</clientproof><finalnonce>c6c4acd3555a04d0c28fe6fa591db567906e9a0fb961ca1232b2974e43de44179M0rKTb0c0BMElXpX3gYalymZmYf3UHZ</finalnonce></request>
+```
+- response:
+```xml
+<?xml version="1.0" encoding="UTF-8"?><response><rsan>b0fa5c08b6e4e660311ef7031371c360881e16dc869f210c35b8d7d3faad532bc59c6592582971cef11582810592b179dc2146c202244a05c19b52d9e1d4206a7257d7b0c7699d369ccc0933ca8a79413244d74f5e8ecc3ecca256b4eec55c4cf4a4826bbc8d2168d2d884088e11597498263d66be785c861618add86ee9a8ae7e4b717b0f332696436026d66a1f6c516a142344fc9973de0930a141fc1f8be2b7c8c09ac7166b18989795de6585352fcb6429fee8b654e623b21c2cfe2ca46026c3a73964ff2cb28f9ccdd255bc81cd047279771444ac7e8630e4b9b43fff8c6b88424838e0022ddea776be08410b1b154d2a70f006820a539674f0e5231ea3</rsan><rsae>010001</rsae><serversignature>fac00d46ddce565a5f8fc2b925070dedd4c84c98d7f9ecdcb97a105e90a9c21a</serversignature><rsapubkeysignature>327e0f2e4c7572007c5da86e7491477c2945a2233d82fc8cc808808a58d7e622</rsapubkeysignature></response>
+```
+
+# Request 5 - /user/state-login
+- request:
+```bash
+curl 'http://192.168.1.1/api/user/state-login' \
+  -H 'Accept: */*' \
+  -H 'Accept-Language: en-US,en' \
+  -H 'Connection: keep-alive' \
+  -H 'Cookie: SessionID=f6Nja9NzWyK4LY4Yr80eI9FFAjPZuc0dUy0bdkOalo7fhOtspjkMCndE94KlcdM3iYSTxIgOFqDS3ZZL0P06S4Hjr8HmTiq6yuUKgTzAarIUqzujpOCl6BAs4yNLnSNd' \
+  -H 'Referer: http://192.168.1.1/html/home.html' \
+  -H 'Sec-GPC: 1' \
+  -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36' \
+  -H 'X-Requested-With: XMLHttpRequest' \
+  -H '_ResponseSource: Broswer' \
+  --compressed \
+  --insecure
+```
+
+- response:
+```xml
+<?xml version="1.0" encoding="UTF-8"?><response><userlevel>2</userlevel><firstlogin>1</firstlogin><Username>admin</Username><rsapadingtype>1</rsapadingtype><extern_password_type>1</extern_password_type><State>0</State><password_type>4</password_type><history_login_flag>0</history_login_flag><wifipwdsamewithwebpwd>0</wifipwdsamewithwebpwd></response>
+```
+
+# Request 6 - /time/timeout
+- request:
+```bash
+curl 'http://192.168.1.1/api/time/timeout' \
+  -H 'Accept: */*' \
+  -H 'Accept-Language: en-US,en' \
+  -H 'Connection: keep-alive' \
+  -H 'Cookie: SessionID=f6Nja9NzWyK4LY4Yr80eI9FFAjPZuc0dUy0bdkOalo7fhOtspjkMCndE94KlcdM3iYSTxIgOFqDS3ZZL0P06S4Hjr8HmTiq6yuUKgTzAarIUqzujpOCl6BAs4yNLnSNd' \
+  -H 'Referer: http://192.168.1.1/html/home.html' \
+  -H 'Sec-GPC: 1' \
+  -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36' \
+  -H 'X-Requested-With: XMLHttpRequest' \
+  -H '_ResponseSource: Broswer' \
+  --compressed \
+  --insecure
+```
+- response:
+```xml
+<?xml version="1.0" encoding="UTF-8"?><response><timeout>5</timeout></response>
+```
+
+

routerapi.sh

@@ -1,19 +1,32 @@
 #!/bin/bash
 
+dependency_check(){
+	for DEPENDENCY; do
+		if ! command -v "$DEPENDENCY" 1>/dev/null; then
+			printf "%s not found. Please install it.\n" "$DEPENDENCY" >&2
+			exit 2
+		fi
+		done
+	unset DEPENDENCY
+}
+dependency_check "htmlq" "xmlstarlet" "tail" "head" "curl"
 
+home_html=$(curl -s $ROUTER_ADDRESS/html/home.html)
+csrf_token1=$(echo $home_html | htmlq 'meta[name="csrf_token"]' --attribute content | head -n1)
+csrf_token2=$(echo $home_html | htmlq 'meta[name="csrf_token"]' --attribute content | tail -n1)
 token=$(curl -c .cookie $ROUTER_ADDRESS/api/webserver/token -s | xmlstarlet sel -t -v "/response/token")
-echo $token
 token_start=$(echo "${token::${#token}-32}")
 token_end=$(echo ${token:32})
 
+echo $token
 echo $token_start$token_end
 echo $token_start
 echo $token_end
 
 
-curl -s -b .cookie "$ROUTER_ADDRESS/api/user/challenge_login" \
+#curl -s -b .cookie "$ROUTER_ADDRESS/api/user/challenge_login" \
-  -H "Origin: $ROUTER_ADDRESS" \
+#  -H "Origin: $ROUTER_ADDRESS" \
-  -H "Referer: $ROUTER_ADDRESS/html/home.html" \
+#  -H "Referer: $ROUTER_ADDRESS/html/home.html" \
-  -H "_ResponseSource: Broswer" \
+#  -H "_ResponseSource: Broswer" \
-  -H "__RequestVerificationToken: $token_end" \
+#  -H "__RequestVerificationToken: $token_end" \
-  --data-raw "<?xml version="1.0" encoding="UTF-8"?><request><username>admin</username><firstnonce>58eb18b0cf49b69cb2b5b6204d32394a464ca082c0cb5a80b51811883cf4f076</firstnonce><mode>1</mode></request>" \
+#  --data-raw "<?xml version="1.0" encoding="UTF-8"?><request><username>admin</username><firstnonce>58eb18b0cf49b69cb2b5b6204d32394a464ca082c0cb5a80b51811883cf4f076</firstnonce><mode>1</mode></request>" \

routerapi2.sh

@@ -0,0 +1,57 @@
+#!/bin/bash
+
+source .env
+
+
+# vars used from .env
+#ROUTER_USERNAME
+#ROUTER_PASSWORD
+#ROUTER_ADDRESS
+
+
+SesTokInfo_req(){
+req=$(curl -s $ROUTER_ADDRESS/api/webserver/SesTokInfo)
+TokInfo=$(echo $req | xmlstarlet sel -t -v "/response/TokInfo")
+SesInfo=$(echo $req | xmlstarlet sel -t -v "/response/SesInfo")
+}
+
+gen_pass_hash(){
+hash1=$(echo -n $ROUTER_PASSWORD| sha256sum | awk '{print $1}')
+hash2=$(echo -n $ROUTER_USERNAME$hash1$TokInfo| sha256sum | awk '{print $1}')
+passhash=$hash2
+}
+
+gen_login_body(){
+body=$(echo "<?xml version=\"1.0\" encoding=\"UTF-8\"?><request><username>$ROUTER_USERNAME</username><password_type>4</password_type><password>$passhash")
+}
+
+login(){
+curl -s $ROUTER_ADDRESS/api/user/login \
+	-H 'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' \
+	-H "Cookie: SessionID=$SesInfo" \
+	-H "__RequestVerificationToken: $TokInfo" \
+	--data-raw $body
+}
+
+
+
+#disable_data(){
+#curl -s $ROUTER_ADDRESS/api/user/login \
+#        -H 'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' \
+#        -H "Cookie: SessionID=$SesInfo" \
+#        -H "__RequestVerificationToken: $TokInfo" \
+#}
+
+# exec oder
+SesTokInfo_req
+gen_pass_hash
+gen_login_body
+login
+
+# debug
+echo $TokInfo
+echo $SesInfo
+echo $passhash
+echo $body
+
+

routerapi3.sh

@@ -0,0 +1,76 @@
+#!/bin/bash
+
+source .env
+dependency_check(){
+	for DEPENDENCY; do
+		if ! command -v "$DEPENDENCY" 1>/dev/null; then
+			printf "%s not found. Please install it.\n" "$DEPENDENCY" >&2
+			exit 2
+		fi
+		done
+	unset DEPENDENCY
+}
+
+csrf_token(){
+home_html=$(curl -s -c .cookie $ROUTER_ADDRESS/html/home.html)
+csrf_token1=$(echo $home_html | htmlq 'meta[name="csrf_token"]' --attribute content | head -n1)
+csrf_token2=$(echo $home_html | htmlq 'meta[name="csrf_token"]' --attribute content | tail -n1)
+}
+
+gen_first_nonce(){
+first_nonce=$(head /dev/urandom | tr -dc A-Za-z0-9  | sha256sum | awk '{print $1}')
+}
+webserver_token(){
+token=$(curl -b .cookie  'http://192.168.1.1/api/webserver/token' \
+  -H 'Accept: */*' \
+  -H 'Accept-Language: en-US,en' \
+  -H 'Connection: keep-alive' \
+  -H 'Referer: http://192.168.1.1/html/home.html' \
+  -H 'Sec-GPC: 1' \
+  -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36' \
+  -H 'X-Requested-With: XMLHttpRequest' \
+  -H '_ResponseSource: Broswer' \
+  --compressed \
+  --insecure | xmlstarlet sel -t -v "/response/token")
+
+#token=$(curl -s -b .cookie $ROUTER_ADDRESS/api/webserver/token | xmlstarlet sel -t -v "/response/token")
+
+token_start=$(echo "${token::${#token}-32}")
+token_end=$(echo ${token:32})
+
+}
+
+challenege_login(){
+curl -s -b .cookie "$ROUTER_ADDRESS/api/user/challenge_login" \
+  -H "Origin: $ROUTER_ADDRESS" \
+  -H "Referer: $ROUTER_ADDRESS/html/home.html" \
+ -H 'X-Requested-With: XMLHttpRequest' \
+  -H "_ResponseSource: Broswer" \
+  -H '__RequestVerificationToken: "${token_end}"' \
+  --data-raw '<?xml version="1.0" encoding="UTF-8"?><request><username>admin</username><firstnonce>${first_nonce}</firstnonce><mode>1</mode></request>'
+}
+
+
+#exec oder
+dependency_check "htmlq" "xmlstarlet" "tail" "head" "curl"
+webserver_token
+gen_first_nonce
+challenege_login
+
+# debug
+echo ""
+echo ""
+echo ""
+echo ""
+echo ' mmmm   mmmmmm mmmmm  m    m   mmm   '
+echo ' #   "m #      #    # #    # m"   "  '
+echo ' #    # #mmmmm #mmmm" #    # #   mm  '
+echo ' #    # #      #    # #    # #    #  '
+echo ' #mmm"  #mmmmm #mmmm" "mmmm"  "mmm"  '
+echo ""
+echo "full token:	${token}"
+echo "token:		${token_start}${token_end}"
+echo "token_start:	${token_start}"
+echo "token_end:					$token_end"
+echo "first_nonce:	$first_nonce"
+