华为HG8020C支持的指令放上来，求高手指点读取超级密码指令方法

0bd9i63h · 发表于 2016-3-28 14:36:16

忘了写上去了，这个路由可以进SU，然后进shell。但是shell里面只有ifconfig指令，连普通的ls,cd指令都没有。
telnet进主机之后看到可以支持的指令如下：
WAP>?
amp add policy-stats pon
amp add policy-stats port
amp add stats gemport
amp clear policy-stats pon
amp clear policy-stats port
amp clear stats gemport
amp debug lswtable all
amp del policy-stats pon
amp del policy-stats port
amp del stats gemport
amp display efc
amp display l2act
amp display l2mac
amp display sfc
amp display userflow
amp show
ampcmd show car all
ampcmd show car index
ampcmd show emac stat
ampcmd show flow all
ampcmd show flow index
ampcmd show log
ampcmd show queue all
ampcmd show queue index
ampcmd trace all
ampcmd trace cli
ampcmd trace dpoe
ampcmd trace drv
ampcmd trace emac
ampcmd trace emap
ampcmd trace eth
ampcmd trace gmac
ampcmd trace gmap
ampcmd trace onu
ampcmd trace optic
ampcmd trace qos
backup cfg
bbsp add policy-stats btv
bbsp clear policy-stats btv all
bbsp clear policy-stats wan
bbsp del policy-stats btv
Broadband debug
Broadband display
Broadband stat
chipdebug
clear amp pq-stats
clear file
clear lastword
clear pon statistics
clear poncnt dnstatistic
clear poncnt gemport upstatistic
clear poncnt upstatistic
clear port statistics
collect debug info
component delete all
cpu debug off
cpu debug on
dbg
debug ctp all
debug ctp step
debug dsp down msg
debug dsp msg
debug dsp up msg
debug ffwd all
debug ffwd event
debug ffwd fwd
debug ffwd lsw
debug ffwd napt
debug ffwd timer
debug fw pktinfo num
debug ifm
debug qoscfg
debug rtp stack
debug sample mediastar
debug vbr-fw all
debug vbr-fw hook
debug vbr-fw vbr-id
debug vport all
debug vport step
display access mode
display acl chain all
display amp policy-stats pon
display amp policy-stats port
display amp pq-stats
display amp stats gemport
display apmChipStatus
display apmpolicy
display batteryStatus
display bbsp stats btv
display bbsp stats wan
display bmsxml crc
display boardItem
display ctp all
display ctp detail
display cwmp debug
display deviceInfo
display dhcp_em result
display dsp channel para
display dsp channel running status
display dsp channel status
display dsp chip stat
display dsp codec status
display dsp interrupt stat
display epon ont info
display equip test mode
display equipId
display equiptest status
display ethoam ma info
display ethoam md info
display ethoam mep info
display ethoam mep perf
display ffwd all
display ffwd stat
display file
display filter rf
display flashlock status
display flow
display fw all
display fw statistic
display inner version
display jb grid status
display jb para
display l2ffwd table
display lanmac
display lastword
display log info
display mac all
display macaddress
display machineItem
display memory info
display msg-queue
display napt all
display oaml2shell ethvlan
display onu info
display optic
display optmode
display patch information
display pon statistics
display poncnt dnstatistic
display poncnt gemport upstatistic
display poncnt upstatistic
display portstatistics
display pppoe_em result
display productId
display productmac
display rf config
display route
display rtp stack channel stat
display rtp stack para
display rtp stack version
display rtp statck chip stat
display sn
display startup info
display swm bootstate
display swm state
display sysinfo
display syslog
display telnet access
display timeout
display timer
display usb devList
display vbridge info
display vbridge nni-binding
display vbridge port-binding
display vbridge statistic
display vbridge uni-binding
display vbridge uplink-binding
display vendorId
display version
display vport all
display vport detail
display wan layer all
display wanmac
display wifi pa type
display wifichip
display wlanmac
display zsp version
get battery alarm status
get battery-chip status
get ip conntrack
get iptables filter
get iptables mangle
get iptables nat
get iptables raw
get mac agingtime
get ont oamfrequency
get opm switch
get optic debug info
get optic par info
get optic txmode
get poncnt upgemport
get port config
get port isolate
get port vlan
get rogue status
get testself
get vlan auth
get wlan enable
ifconfig
igmp clear statistics
igmp get debug switch
igmp get flow info
igmp get global cfg
igmp get iptv
igmp get multilmac
igmp get port multicast config
igmp get statistics
igmp set debug switch
ip -6 neigh
ip -6 route
ip -6 rule
ip neigh
ip route
ip rule
load pack
logout
maintain mode
make ssh hostkey
mgcp mg-config
mgcp mgc 1
mgcp mgc 2
mid get
mid off
mid set
napt cli
netstat -na
oamcmd clear log
oamcmd debug
oamcmd pdt show log
oamcmd show flow
oamcmd show log
omcicmd alarm ctrl show
omcicmd alarm show
omcicmd clear log
omcicmd clear msg stat
omcicmd debug
omcicmd error log
omcicmd mib att show
omcicmd mib copy show
omcicmd mib show
omcicmd mib stat show
omcicmd pdt show log
omcicmd pm show
omcicmd show flow
omcicmd show log
omcicmd show msg stat
omcicmd show olt type
omcicmd show qos
omcicmd show tcont table
ping
qoscfg get
quit
reset
restore manufactory
route get default
save data
save log
set cwmp debug
set ethportmirror
set ringchk
set timeout
set userpasswd
set voicedebug
set voicedsploop
set voicelinetest
set voiceportloop
set voicesignalingprint
setconsole
sntp get
su
test monitor interface
traceroute
tunnel show all
vbridge statistic clear
voice remote diagnose server set
voice remote diagnose set
vport statistic clear
vspa clear rtp statistics
vspa debug
vspa display confrence info
vspa display dsp running info
vspa display dsp state
vspa display mg if state
vspa display mg info
vspa display mgcp config
vspa display online user info
vspa display port status
vspa display rtp statistics
vspa display signal scene info
vspa display signal scene list
vspa display user call state
vspa display user status
vspa mgc switch
vspa reset
vspa set ptcflag
vspa shutdown mg
wap ll
wap ls
wap ps
wap top
WAP>quit
这些指令中哪个可以读取超级密码？请指教

7l91cp · 发表于 2016-3-28 14:36:17

没有cd的命令问题不大，你执行我前面贴的命令的时候，就打全路径操作就是了。
比如
cp /mnt/ffs2/HW_ctree.xml /mnt/ffs2/HW_ctree.xml.bak

ivgmh671 · 发表于 2016-3-28 14:36:17

学习了。谢谢分享

oh924bo · 发表于 2016-3-28 14:36:18

华为的猫好弄，不行下一个ONT解锁工具写一下猫就行了

2fxsuq4b · 发表于 2016-3-28 14:36:18

试试 SHELL。

现在的光猫都加密了。

roixq0cn · 发表于 2016-3-28 14:36:19

这个shell根本没有cd这条指令，郁闷！！

fab0pvi · 发表于 2016-3-28 14:36:19

晚上我回去试试，连cd,ls这些指令都没有，我感觉cp指令肯定也不会有。

7l91cp · 发表于 2016-3-28 14:36:20

华为的路由猫支持自解密：
先拷贝一份作为备份
cp hw_ctree.xml hw_ctree.xml.bak
然后重命名一下hw_ctree.xml
mv hw_ctree.xml hw_ctree.xml.gz
再对hw_ctree.xml.gz 进行解密和解压
aescrypt2 1 hw_ctree.xml.gz tmp
gzip -d hw_ctree.xml.gz
这样就得到了原始的 hw_ctree.xml了。
现在就可以用vi命令进去改东西了。
当然，只是查看telecomadmin密码的话就
grep telecomadmin hw_ctree.xml
就可以看到了。

4plutl · 发表于 2016-3-28 14:36:20

WAP>shell
cd /mnt/jffs2
HW_ctree.xml 这个里面有超密，不过不知道这个文档加密了没有，加密了要解密。
如果不是中国电信界面的，是移动或者联通英文界面的超密是telecomadmin admintelecom

		自动登录	找回密码
密码			立即注册