From 038c261eb75b90c7ddccc5625891342aa89bed4c Mon Sep 17 00:00:00 2001 From: Till Tomczak Date: Tue, 11 Mar 2025 15:07:23 +0100 Subject: [PATCH] api reverse engineering --- CREDENTIALS | 1 + backend/api-test.drucker.py | 95 ++++++++++++++++++++++++++++++++++++ backend/capture.pcap | Bin 0 -> 7322 bytes 3 files changed, 96 insertions(+) create mode 100644 CREDENTIALS create mode 100644 backend/api-test.drucker.py create mode 100644 backend/capture.pcap diff --git a/CREDENTIALS b/CREDENTIALS new file mode 100644 index 0000000..0a5338f --- /dev/null +++ b/CREDENTIALS @@ -0,0 +1 @@ +TAPO ADMIN: vT6Vsd^p \ No newline at end of file diff --git a/backend/api-test.drucker.py b/backend/api-test.drucker.py new file mode 100644 index 0000000..e22a9f2 --- /dev/null +++ b/backend/api-test.drucker.py @@ -0,0 +1,95 @@ +import requests +import json + +# Basis-URL inkl. Token +url = "http://192.168.0.101:80/app?token=48284E8B91424E897B2E4C89175B4C88" + +# HTTP-Header wie in der Originalanfrage +headers = { + "Referer": "http://192.168.0.101:80", + "Accept": "application/json", + "requestByApp": "true", + "Content-Type": "application/json; charset=UTF-8", + "Host": "192.168.0.101", + "Connection": "Keep-Alive", + "Accept-Encoding": "gzip", + "User-Agent": "okhttp/3.14.9" +} + +# Liste der Payloads (als Python-Dictionaries) +payloads = [ + { + "method": "securePassthrough", + "params": { + "request": ( + "ZC4CHp6bbfBO1rtmuH6I+TStBIiFRfQpayYPwet5NBmL35dib5xXHeEeLM7c0OSQSyxO6fnbXrC1\n" + "gXdfowwwq4Fum9ispgt8yT7cgbDcqnoVrhxEtHIDfuwLh8YAGmDSfTMo/JlsGspWPYMKd1EWXtb5\n" + "gP9FA9LHnV2kxKsNSPQ=\n" + ) + } + }, + { + "method": "securePassthrough", + "params": { + "request": ( + "k111EbfCcfVzAouNbu1vyos9Ltsg+a97n4xUUQMviQVJfhqxvKOhv1SrvEk2LvpD0LwNVUNPZdwU\n" + "6pH5E/NOwdc1WzTPeqHiY760GpUuqn0tToHEHEyO2HaSKdrAYnw2gN410bvHb0pM3gYWS43eOA==\n" + ) + } + }, + { + "method": "securePassthrough", + "params": { + "request": ( + "7/uYVDwyNfFhg9y7rHyp+4AGKBYQPyaBN6cFMl9j4ER/JpJTcGBdaUteSmx8P8Fkz+b2kkNLjYa2\n" + "wQr2gA3m6vEq9jpnAF2V3fv9c4Yg9gja9MlTIZqM6EdMi7YbfbhLme34Bh8kMcohDR3u1F4DwFDz\n" + "hNZPckf/CegbY9KGFeGwT4rWyX3BTk9+FE7ldtJn\n" + ) + } + }, + { + "method": "securePassthrough", + "params": { + "request": ( + "EjWZb+YYS9tihgLdX4x+Wwx7q+e5X/ZHicr4jOnYmpFToDANzpm5ZpzD49BITcTCdQMOHlJBis85\n" + "9GX6Hv8j66OITyH0XmfG9dQo2tgIykyagCZIofr/BpAWYX4aRaOkU4z14mVa2XpDtHJQjc+pXYkh\n" + "JuWvLE+h01U5RoyPtvE=\n" + ) + } + }, + { + "method": "securePassthrough", + "params": { + "request": ( + "OwyTsm5HdB/ReJMhVRrkjnV0NLTanw6iXOxVrDDexT456edWuwKiBOsZUyBHmUyJKgiPQzOXqyWWi220bX8IjLX4q8YNgPwRlj+7nRbfzpC/I57wBZBTWIt626pSdIH0vpiuPq84KMfPD5BB2p78/LjsqlzyeLGYzkSsGRBMT8TnLMDFzZE864nfDUZ9muH2kk8NRMN9l6xoCXBJqGA9q8XxIWRTpsl0kTx52kUszY69hYlfFSrrCDIls1ykul14/T1NtOVF8KOgiwaSGOZf7L4QlbhYvRj9kkVVkrxhlwt8jtMqfJKEqq+CIPh3Mp4440WYMLRo6VNIEJ3pWjplkJmc+htnYC4FwVgT7mHZ8eeGGKBvsJz+78gTaHnGBnwZ26I8UdFparyp6QXpOhK9zFmGVh0yapiTHo6jOOI+4Q3Ru+aPnidX/ZASPmR7CZO70CUpvv9zIKJnrAaoTMmH7A6+kcmCRLgLFaTaM+4DFmiz6JGP+4W7MmVPJxxvn0IFlo1P/xwNDuL3T6GLUIEVNk89JG5roBm7AdchUZJO38dGZ0eFiiTK/NhKPvjj+fk9A4FGh7EDshXZhL2u50cdLcdUtcP/CAMDjgWlMm4Kk3vxMQO+UGE+jsB7NkaulmTW1jcl+PSnAE5P71oqVVQ0ng==\n" + ) + } + }, + { + "method": "securePassthrough", + "params": { + "request": ( + "7/uYVDwyNfFhg9y7rHyp+4AGKBYQPyaBN6cFMl9j4ER/JpJTcGBdaUteSmx8P8FkURmv/LWV1FpO\n" + "M3RWvsiC5UAsei2G+vwTVuQpOPjKKAx+qwftr9Qs2mSkPNjNLpWHK68EZkIw+h04TQkt0Q99Dirg\n" + "0BcrPgHTVKjiK8mdZ6w6gcld/h/FOKYMqJrP0Z+2\n" + ) + } + }, + { + "method": "securePassthrough", + "params": { + "request": ( + "ZE/+XlUmTA9D3DFfp4x3xhS3vdsQ+60tz4TOodtZDby/4DPoqk9EBvJZ1JtUCr5c0AHuv/sfwcvN\n" + "Vx1zJP9RkltrAKVTWoaESAeewLozpXt/x0s/jkYC1rh7eTrxm+nYTZ5LJgNtcQq8yJxhEPez1w==\n" + ) + } + } +] + +# Sende die Payloads sequenziell per POST-Anfrage +for idx, payload in enumerate(payloads, start=1): + response = requests.post(url, headers=headers, data=json.dumps(payload)) + print(f"Anfrage {idx}:") + print("Status Code:", response.status_code) + print("Response Text:", response.text) + print("-" * 60) diff --git a/backend/capture.pcap b/backend/capture.pcap new file mode 100644 index 0000000000000000000000000000000000000000..1ec8bc2c4eccc43ff8837df89900b46c6ed1d162 GIT binary patch literal 7322 zcmcIpeQZ-z6u)n;8~dn`!r%|$BBGlFG78K>7z^t*z){7GsRLvYNBi2zbBtdX)PF%7OhkvNxM+_`RA~=M<@FO5H0d+Wo(s|B(@9o{^?cUbzZQ&+B zdw(D2oO|B6Zx=rAIg&&yME!B55F)@o?kqm%yU<`ECGdA#(+9V1+Sm1Zw(Ezi)>N{Z z5Qn3TkYSsp=TrxgUZU=;5>90BGuV^7it(V*lb^gds(I1Kk z{F6G(6*6KcQQPje#!$OF@dLkr-f_*FSuksG8=^c6j|RpgAk`sG#Ar} zod_GZ#7TA3{Vqxdwlk{AtKYN-ZD?IdgP^e4wS zow)_Hk+>H3;OR_V0deqPEcTb+>Fj#J{%X9ZQ@E({@TU`bqP8>>curqRHpuJ1H<;Iq z3MH=|sNcJ4Ud_`m=dz{&^O{@0)Uy{g6bjZ!*6`gY8Du_K!==-ZLWES3Vj)SgCX9sq zIp!E2St*}tJ9U}jcY5T{5d(MHn4P+M=66!gtX9}5;m+C2&M`P8J!dwvllo{^Vm%6H zZaZ*#k<-rX9D~!V=UmS0L{3N4n9~sjP9JivVs?(f>C(8mg1z*O+6;?sTN~H0gRB2W_fo5LI;0aNq5qIp^ks=qDZm4blcPjA$ zDlRUD8%y$N42PH){tjQnS{jA*&S&FceP#MI13xeKp`V2dR6k3GWj_a*gEE?*({rYg zO`s4L7pcdk!-)LUS{1o=4*G}=(N2()!w=Qtj zJR=LUUqYh8L6xZdoNVEzH5ySY3x7dBo%?Xo$UR9;iTvE5T`_;rI_!#R9{{o!maqbA zDkpQsYqvCH{z`|q2N_&0G!!>#OHTmzBL+8y-Y2Qv>Ij@Q_rU>P&ip#Mc>(6osJW}4o?*DjxE;Bq_JyIUHdz-*>;JRq=c<-Hwc`M2Q zKkEHoyE%eab2QvyG+-XHTIG{XAFW>005``;)^PBcHAWv)ro(*uMLHcm1aY9#;qV{W z2Rq+bxnZn6_%7h`?~6vJ&Px>6rs5_xbz;3#y`$;p>V@iusWSon`vF(g&*8f4pdWBe z(BEzx|L@WoJ^@&DL3E`SUA6TrRKX*KBUZ4fdTi~E&xgJbb;YG21%N-P&;?`fQP zPDXBOw67y4jKL;zTDr8+n;Y4@Z7}(O&o3FD+W2o;Z9Kqe;CxdJ;Cqra%mfXize#L+ zmd4=%69+Bd3D?+4hLiJMiJaiuM9v}TBZs;OftT2Hap%2QN^;^zdlP)pJI1V5=z|Me z?q2&)>x1dlVSg@t$1Nq-`D<&d#p-aFUMCU%dN&~fz{kba({m+{VjNH0R^o`)s3G_w zUI9ko-uw6Xxl5TDFUIUhe!K%1wl+g^G0R^BxG*~=fcrc%-*B<2Z0y5W z?V@ioQL}D#Oqla5!-+MQtG