Login with curl on a page with javascript submit
what I'm trying to do is to create a script that clears the call logs from some ip phones in our local network. These phones are provided with a web interface that asks with a very simple form a username and password(in this case is admin:admin on web interface http://192.168.25.176/).
Here is the code of the login page:
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=0" name="viewport">
<link rel="stylesheet" type ="text/css" href="style.css">
<script language="javascript" type="text/javascript" src="comm.js"></script>
<script language="javascript" type="text/javascript" src="xmlUtil.js"></script>
<script language="javascript" type="text/javascript" src="cookieUtil.js"></script>
<title>Logon</title>
</head>
<body onload="refreshpage()" style="width:100%; background-color:#EEF6F8;">
<div class="logon_content">
<div align="center" class="logon_div_tb">
<table width="100%">
<tr>
<td align="right" width="100px"><font class="font4"><span id="XSTR_WZD_LBL_USR">User</span>:</font></td>
<td align="left"><input tabindex="2" type="text" id="username" style="width:120px"></td>
</tr>
<tr>
<td align="right"><font class="font4"><span id="XSTR_LBL_GEN_PWD">Password</span>:</font></td>
<td align="left"><input tabindex="2" type="password" id="password" style="width:120px" onkeydown="KeyDown(event)"></td>
</tr>
<tr>
<td align="right"><font class="font4"><span id="XSTR_WZD_LANG">Language</span>:</font></td>
<td align="left">
<select tabindex="3" id="langSelect" onchange="langChange()" style="width:120px">
<option value="en">English</option>
<option value="cn">中文</option>
<option value="tc">繁體中文</option>
<option value="nl">Nederlands</option>
<option value="fr">Français</option>
<option value="ru">Русский</option>
<option value="it">Italiano</option>
<option value="es">Español</option>
<option value="jp">日本語</option>
<option value="bg">Български</option>
<option value="slo">Slovenski</option>
<option value="cat">Català</option>
<option value="eus">Euskera</option>
<option value="de">Deutsch</option>
<option value="pt">Português</option>
<option value="cz">Czech</option>
<option value="gl">Gallego</option>
<option value="in">Indonesia</option>
<option value="ma">Malay</option>
<option value="hu">Magyar</option>
<option value="ar">العربية</option>
<option value="uk">Український</option>
<option value="tr">Türkçe</option>
<option value="he">עברית</option>
<option value="pl">Polski</option>
<option value="pe">فارسی</option>
</select>
</td>
</tr>
<tr>
<td></td>
<td><input id="logonButton" type="button" lang="XSTR_LBL_GEN_LOGON" value="Logon" onClick="reqNonce()" class="btninput" tabindex="4"></td>
</tr>
</table>
</div>
<form method="POST" id="login">
<input type="hidden" id="encoded" name="encoded">
<input type="hidden" name="ReturnPage" value="/">
</form>
<br /><br /><br /><br />
<div style="color:red; display:none;" id="errorMsg">
<p><span id="XSTR_HLP_AUTH_ERROR">User Name or Password Error!</span></p>
</div>
</div>
</body>
<script language="javascript" type="text/javascript" defer="defer">
var xmlHttp = null;
var langCookie = new xCookie();
var langSel = document.getElementById("langSelect");
var scrnlang = "it";
var selLang;
var cookLang = langCookie.getCookie("CUR_LANG");
if(cookLang != null && cookLang == scrnlang)
{
selLang = cookLang;
}
else
{
selLang = scrnlang;
langCookie.setCookie("CUR_LANG", selLang, 365);
}
if (!(selLang) >= 0) {
for (i=0; i<langSel.options.length; i++) {
if (langSel.options[i].value == selLang) {
langSel.options[i].selected = true;
break;
}
}
}
if (parseInt("0") == 5) document.getElementById("errorMsg").style.display = "";
else if (parseInt("0") == 6) {
var errorMsg = document.getElementById("errorMsg");
document.getElementById("logonButton").disabled="disabled";
document.getElementById("username").focus();
errorMsg.innerHTML = "<p><span id='XSTR_LBL_ALERT_PHONE_BUSY'>Sorry, the phone is busy now, please try again later!</span></p>";
errorMsg.style.display = "";
}
if (window.focus) self.focus();
//-----------------------multi-lang---------------------------------
var gStrList = new Array();
var gStrId = new xJSon();
var gLangId = new xJSon();
var docAjax = new xAjax("GET", "xstr_list.xst?now=" + new Date().getTime(), false, xmlHookFun);
var xstrHttp = docAjax.xmlHttp;
docAjax.send(null);
function xmlHookFun() {
if (xstrHttp != null) {
if (4 == xstrHttp.readyState) {
if (200 == xstrHttp.status) {
var rows = xstrHttp.responseText.split("\r\n");
var colsLen = rows[0].split("\t").length;
gLangId.addItem("MAX_COLS", colsLen - 1);
for (var i=0; i<rows.length; i++) {
if (rows[i]) {
var cols = rows[i].split("\t");
if (i != 0) gStrList[i - 1] = new Array();
for (var j=0; j<colsLen; j++) {
if (i == 0 && j != 0) {
gLangId.addItem(cols[j], j - 1);
} else {
if (j == 0) gStrId.addItem(cols[j], i - 1);
else gStrList[i - 1][j - 1] = cols[j];
}
}
}
}
if (selLang >= 0) {
for (var i=0; i<langSel.options.length; i++) {
if (gLangId.getItem(langSel.options[i].value) == selLang) {
langSel.options[i].selected = true;
flag = true;
break;
}
}
langChange();
}
gTranslate(selLang);
}
}
}
}
function gTranslate(langId) {
var spans = document.getElementsByTagName("span");
var inps = document.getElementsByTagName("input");
for (var i=0; i<spans.length; i++) {
var id = spans[i].id;
if (id.length > 0) {
var rowIdx = gStrId.getItem(id);
if (rowIdx != null) {
var content = gStrList[rowIdx][gLangId.getItem(langId)];
if (content != null && typeof(content) != "undefined" && content.length > 0) spans[i].innerHTML = content;
}
}
}
for (var i=0; i<inps.length; i++) {
var type = inps[i].getAttribute("type");
if (type == "submit" || type == "button") {
var lang = inps[i].lang;
if (lang.length > 0) {
var rowIdx = gStrId.getItem(lang);
if (rowIdx != null) {
var content = gStrList[rowIdx][gLangId.getItem(langId)];
if (content != null && typeof(content) != "undefined" && content.length > 0) inps[i].value = content;
}
}
}
}
}
//-----------------------end of multi-lang--------------------------
function reqNonce() {
var ajax = new xAjax("GET", "key==nonce?now=" + new Date().getTime(), true, getNonce);
ajax.send(null);
xmlHttp = ajax.xmlHttp;
}
function getNonce() {
if (xmlHttp != null) {
if (4 == xmlHttp.readyState) {
if (200 == xmlHttp.status) {
var cookie = new xCookie();
var nonce = xmlHttp.responseText.substring(0, 16);
cookie.setCookie("auth", nonce, 1);
encode(nonce);
} else {
var errorMsg = document.getElementById("errorMsg");
document.getElementById("username").focus();
errorMsg.innerHTML = "<p><span id='XSTR_LBL_GEN_BAD_SVR'>Server Too Busy!</span></p>";
errorMsg.style.display = "";
}
}
}
}
function KeyDown(event) {
if (event.keyCode == 13) {
event.returnValue = false;
event.cancel = true;
reqNonce();
}
}
function langChange() {
var langNewCookie = new xCookie();
langCookie.setCookie("CUR_LANG", langSel.value, 365);
langNewCookie.setCookie("CUR_NEW_LANG", langSel.value, 365);
gTranslate(langSel.value);
}
function refreshpage() {
if (window.top.parent.frames["main"] != null) {
parent.location.href = parent.location.href;
}
document.getElementById("username").focus();
}
//---------------------------------------------------
function array(n) {
for (i=0; i<n; i++) this[i] = 0;
this.length = n;
}
function integer(n) { return n % (0xffffffff + 1); }
function shr(a, b) {
a = integer(a);
b = integer(b);
if (a - 0x80000000 >= 0) {
a = a % 0x80000000;
a >>= b;
a += 0x40000000 >> (b - 1);
} else {
a >>= b;
}
return a;
}
function shl1(a) {
a = a % 0x80000000;
if (a & 0x40000000 == 0x40000000) {
a -= 0x40000000;
a *= 2;
a += 0x80000000;
} else {
a*=2;
}
return a;
}
function shl(a, b) {
a = integer(a);
b = integer(b);
for (var i=0; i<b; i++) a=shl1(a);
return a;
}
function and(a, b) {
a = integer(a);
b = integer(b);
var t1 = (a - 0x80000000);
var t2 = (b - 0x80000000);
if (t1 >= 0) {
if (t2 >= 0) return ((t1 & t2) + 0x80000000);
else return (t1 & b);
} else {
if (t2 >= 0) return (a & t2);
else return (a & b);
}
}
function or(a, b) {
a = integer(a);
b = integer(b);
var t1 = (a - 0x80000000);
var t2 = (b - 0x80000000);
if (t1 >= 0) {
if (t2 >= 0) return ((t1 | t2) + 0x80000000);
else return ((t1 | b) + 0x80000000);
} else {
if (t2 >= 0) return ((a | t2) + 0x80000000);
else return (a | b);
}
}
function xor(a, b) {
a = integer(a);
b = integer(b);
var t1 = (a-0x80000000);
var t2 = (b-0x80000000);
if (t1>=0) {
if (t2 >= 0) return (t1 ^ t2);
else return ((t1 ^ b) + 0x80000000);
} else {
if (t2 >= 0) return ((a ^ t2) + 0x80000000);
else return (a ^ b);
}
}
function not(a) {
a = integer(a);
return (0xffffffff - a);
}
/* Here begin the real algorithm */
var state = new array(4);
var count = new array(2);
count[0] = 0;
count[1] = 0;
var buffer = new array(64);
var transformBuffer = new array(16);
var digestBits = new array(16);
var S11 = 7, S12 = 12, S13 = 17, S14 = 22, S21 = 5, S22 = 9, S23 = 14, S24 = 20;
var S31 = 4, S32 = 11, S33 = 16, S34 = 23, S41 = 6, S42 = 10, S43 = 15, S44 = 21;
function F(x, y, z) { return or(and(x, y), and(not(x), z)); }
function G(x, y, z) { return or(and(x, z), and(y, not(z))); }
function H(x, y, z) { return xor(xor(x, y), z); }
function I(x, y, z) { return xor(y, or(x, not(z))); }
function rotateLeft(a, n) { return or(shl(a, n), (shr(a, (32-n)))); }
function FF(a, b, c, d, x, s, ac) {
a = a + F(b, c, d) + x + ac;
a = rotateLeft(a, s);
a = a + b;
return a;
}
function GG(a, b, c, d, x, s, ac) {
a = a + G(b, c, d) + x + ac;
a = rotateLeft(a, s);
a = a + b;
return a;
}
function HH(a, b, c, d, x, s, ac) {
a = a + H(b, c, d) + x + ac;
a = rotateLeft(a, s);
a = a + b;
return a;
}
function II(a, b, c, d, x, s, ac) {
a = a + I(b, c, d) + x + ac;
a = rotateLeft(a, s);
a = a + b;
return a;
}
function transform(buf, offset) {
var a=0, b=0, c=0, d=0;
var x = transformBuffer;
a = state[0];
b = state[1];
c = state[2];
d = state[3];
for (i=0; i<16; i++) {
x[i] = and(buf[i * 4 + offset], 0xff);
for (j = 1; j < 4; j++) x[i]+=shl(and(buf[i*4+j+offset] ,0xff), j * 8);
}
/* Round 1 */
a = FF ( a, b, c, d, x[ 0], S11, 0xd76aa478); /* 1 */
d = FF ( d, a, b, c, x[ 1], S12, 0xe8c7b756); /* 2 */
c = FF ( c, d, a, b, x[ 2], S13, 0x242070db); /* 3 */
b = FF ( b, c, d, a, x[ 3], S14, 0xc1bdceee); /* 4 */
a = FF ( a, b, c, d, x[ 4], S11, 0xf57c0faf); /* 5 */
d = FF ( d, a, b, c, x[ 5], S12, 0x4787c62a); /* 6 */
c = FF ( c, d, a, b, x[ 6], S13, 0xa8304613); /* 7 */
b = FF ( b, c, d, a, x[ 7], S14, 0xfd469501); /* 8 */
a = FF ( a, b, c, d, x[ 8], S11, 0x698098d8); /* 9 */
d = FF ( d, a, b, c, x[ 9], S12, 0x8b44f7af); /* 10 */
c = FF ( c, d, a, b, x[10], S13, 0xffff5bb1); /* 11 */
b = FF ( b, c, d, a, x[11], S14, 0x895cd7be); /* 12 */
a = FF ( a, b, c, d, x[12], S11, 0x6b901122); /* 13 */
d = FF ( d, a, b, c, x[13], S12, 0xfd987193); /* 14 */
c = FF ( c, d, a, b, x[14], S13, 0xa679438e); /* 15 */
b = FF ( b, c, d, a, x[15], S14, 0x49b40821); /* 16 */
/* Round 2 */
a = GG ( a, b, c, d, x[ 1], S21, 0xf61e2562); /* 17 */
d = GG ( d, a, b, c, x[ 6], S22, 0xc040b340); /* 18 */
c = GG ( c, d, a, b, x[11], S23, 0x265e5a51); /* 19 */
b = GG ( b, c, d, a, x[ 0], S24, 0xe9b6c7aa); /* 20 */
a = GG ( a, b, c, d, x[ 5], S21, 0xd62f105d); /* 21 */
d = GG ( d, a, b, c, x[10], S22, 0x2441453); /* 22 */
c = GG ( c, d, a, b, x[15], S23, 0xd8a1e681); /* 23 */
b = GG ( b, c, d, a, x[ 4], S24, 0xe7d3fbc8); /* 24 */
a = GG ( a, b, c, d, x[ 9], S21, 0x21e1cde6); /* 25 */
d = GG ( d, a, b, c, x[14], S22, 0xc33707d6); /* 26 */
c = GG ( c, d, a, b, x[ 3], S23, 0xf4d50d87); /* 27 */
b = GG ( b, c, d, a, x[ 8], S24, 0x455a14ed); /* 28 */
a = GG ( a, b, c, d, x[13], S21, 0xa9e3e905); /* 29 */
d = GG ( d, a, b, c, x[ 2], S22, 0xfcefa3f8); /* 30 */
c = GG ( c, d, a, b, x[ 7], S23, 0x676f02d9); /* 31 */
b = GG ( b, c, d, a, x[12], S24, 0x8d2a4c8a); /* 32 */
/* Round 3 */
a = HH ( a, b, c, d, x[ 5], S31, 0xfffa3942); /* 33 */
d = HH ( d, a, b, c, x[ 8], S32, 0x8771f681); /* 34 */
c = HH ( c, d, a, b, x[11], S33, 0x6d9d6122); /* 35 */
b = HH ( b, c, d, a, x[14], S34, 0xfde5380c); /* 36 */
a = HH ( a, b, c, d, x[ 1], S31, 0xa4beea44); /* 37 */
d = HH ( d, a, b, c, x[ 4], S32, 0x4bdecfa9); /* 38 */
c = HH ( c, d, a, b, x[ 7], S33, 0xf6bb4b60); /* 39 */
b = HH ( b, c, d, a, x[10], S34, 0xbebfbc70); /* 40 */
a = HH ( a, b, c, d, x[13], S31, 0x289b7ec6); /* 41 */
d = HH ( d, a, b, c, x[ 0], S32, 0xeaa127fa); /* 42 */
c = HH ( c, d, a, b, x[ 3], S33, 0xd4ef3085); /* 43 */
b = HH ( b, c, d, a, x[ 6], S34, 0x4881d05); /* 44 */
a = HH ( a, b, c, d, x[ 9], S31, 0xd9d4d039); /* 45 */
d = HH ( d, a, b, c, x[12], S32, 0xe6db99e5); /* 46 */
c = HH ( c, d, a, b, x[15], S33, 0x1fa27cf8); /* 47 */
b = HH ( b, c, d, a, x[ 2], S34, 0xc4ac5665); /* 48 */
/* Round 4 */
a = II ( a, b, c, d, x[ 0], S41, 0xf4292244); /* 49 */
d = II ( d, a, b, c, x[ 7], S42, 0x432aff97); /* 50 */
c = II ( c, d, a, b, x[14], S43, 0xab9423a7); /* 51 */
b = II ( b, c, d, a, x[ 5], S44, 0xfc93a039); /* 52 */
a = II ( a, b, c, d, x[12], S41, 0x655b59c3); /* 53 */
d = II ( d, a, b, c, x[ 3], S42, 0x8f0ccc92); /* 54 */
c = II ( c, d, a, b, x[10], S43, 0xffeff47d); /* 55 */
b = II ( b, c, d, a, x[ 1], S44, 0x85845dd1); /* 56 */
a = II ( a, b, c, d, x[ 8], S41, 0x6fa87e4f); /* 57 */
d = II ( d, a, b, c, x[15], S42, 0xfe2ce6e0); /* 58 */
c = II ( c, d, a, b, x[ 6], S43, 0xa3014314); /* 59 */
b = II ( b, c, d, a, x[13], S44, 0x4e0811a1); /* 60 */
a = II ( a, b, c, d, x[ 4], S41, 0xf7537e82); /* 61 */
d = II ( d, a, b, c, x[11], S42, 0xbd3af235); /* 62 */
c = II ( c, d, a, b, x[ 2], S43, 0x2ad7d2bb); /* 63 */
b = II ( b, c, d, a, x[ 9], S44, 0xeb86d391); /* 64 */
state[0] += a;
state[1] += b;
state[2] += c;
state[3] += d;
}
function init() {
count[0] = count[1] = 0;
state[0] = 0x67452301;
state[1] = 0xefcdab89;
state[2] = 0x98badcfe;
state[3] = 0x10325476;
for (i=0; i<digestBits.length; i++) digestBits[i] = 0;
}
function update(b) {
var index, i;
index = and(shr(count[0], 3), 0x3f);
if (count[0] < 0xffffffff-7) {
count[0] += 8;
} else {
count[1]++;
count[0] -= 0xffffffff + 1;
count[0] += 8;
}
buffer[index] = and(b, 0xff);
if (index >= 63) {
transform(buffer, 0);
}
}
function finish() {
var bits = new array(8);
var padding;
var i=0, index=0, padLen=0;
for (i=0; i<4; i++) bits[i] = and(shr(count[0],(i * 8)), 0xff);
for (i=0; i<4; i++) bits[i + 4] = and(shr(count[1],(i * 8)), 0xff);
index = and(shr(count[0], 3) ,0x3f);
padLen = (index < 56) ? (56 - index) : (120 - index);
padding = new array(64);
padding[0] = 0x80;
for (i=0; i<padLen; i++) update(padding[i]);
for (i=0; i<8; i++) update(bits[i]);
for (i=0; i<4; i++) {
for (j=0; j<4; j++) {
digestBits[i * 4 + j] = and(shr(state[i], (j * 8)) , 0xff);
}
}
}
/* End of the MD5 algorithm */
function hexa(n) {
var hexa_h = "0123456789abcdef";
var hexa_c = "";
var hexa_m = n;
for (hexa_i=0; hexa_i<8; hexa_i++) {
hexa_c = hexa_h.charAt(Math.abs(hexa_m) % 16) + hexa_c;
hexa_m = Math.floor(hexa_m / 16);
}
return hexa_c;
}
var ascii = "01234567890123456789012345678901"
+ " !\"#" + '\$'
+ "%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ"
+ "[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~";
function md5(entree) {
var l,s,k,ka,kb,kc,kd;
init();
for (k=0; k<entree.length; k++) {
l = entree.charAt(k);
update(ascii.lastIndexOf(l));
}
finish();
ka = kb = kc = kd = 0;
for (i=0;i<4;i++) ka += shl(digestBits[15-i], (i*8));
for (i=4;i<8;i++) kb += shl(digestBits[15-i], ((i-4)*8));
for (i=8;i<12;i++) kc += shl(digestBits[15-i], ((i-8)*8));
for (i=12;i<16;i++) kd += shl(digestBits[15-i], ((i-12)*8));
s = hexa(kd) + hexa(kc) + hexa(kb) + hexa(ka);
return s;
}
function encode(nonce) {
document.getElementById("encoded").value = document.getElementById("username").value + ":"
+ md5(document.getElementById("username").value + ":" + document.getElementById("password").value + ":" + nonce);
document.getElementById("login").submit();
}
</script>
</html>
As you can see after the closing body tag there is a javascript that transforms the entered data using a sort of "time-based hash" for security, I think that it starts after the commented line
/* Here begin the real algorithm */
So if Try to copy from chrome's inspector the curl command I will obtain something like this:
curl 'http://192.168.25.176/' -H 'Connection: keep-alive' -H 'Cache-Control: max-age=0' -H 'Origin: http://192.168.25.176' -H 'Upgrade-Insecure-Requests: 1' -H 'Content-Type: application/x-www-form-urlencoded' -H 'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36' -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3' -H 'Referer: http://192.168.25.176/' -H 'Accept-Encoding: gzip, deflate' -H 'Accept-Language: it-IT,it;q=0.9,en-US;q=0.8,en;q=0.7' -H 'Cookie: CTCPgSz=10; CUR_LANG=it; CUR_NEW_LANG=it; CLogPgSz=10; auth=c0a8194f002099a2' --data 'encoded=admin%3Ac087f3ff091daaf5d8ddcaf0d17fac4f&ReturnPage=%2F' --compressed --insecure
But obviuosly this will always return the login page cause the string
'encoded=admin%3Ac087f3ff091daaf5d8ddcaf0d17fac4f&ReturnPage=%2F'
is generated by the chrome session and not by the curl command. Any suggestion to submit the input data to the javascript before the curl command from my command line?? Many thanks
asked on Stack Overflow Jul 2, 2019 by 
silvered.dragon
silvered.dragon0 Answers
Nobody has answered this question yet.
User contributions licensed under CC BY-SA 3.0