我要做的是创建一个脚本,以清除本地网络中某些IP电话的通话记录。这些电话配有网络界面,该界面以非常简单的形式询问用户名和密码(在本例中为Web界面http://192.168.25.176/上的admin:admin)。
以下是登录页面的代码:
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=0" name="viewport">
<link rel="stylesheet" type ="text/css" href="style.css">
<script language="javascript" type="text/javascript" src="comm.js"></script>
<script language="javascript" type="text/javascript" src="xmlUtil.js"></script>
<script language="javascript" type="text/javascript" src="cookieUtil.js"></script>
<title>Logon</title>
</head>
<body onload="refreshpage()" style="width:100%; background-color:#EEF6F8;">
<div class="logon_content">
<div align="center" class="logon_div_tb">
<table width="100%">
<tr>
<td align="right" width="100px"><font class="font4"><span id="XSTR_WZD_LBL_USR">User</span>:</font></td>
<td align="left"><input tabindex="2" type="text" id="username" style="width:120px"></td>
</tr>
<tr>
<td align="right"><font class="font4"><span id="XSTR_LBL_GEN_PWD">Password</span>:</font></td>
<td align="left"><input tabindex="2" type="password" id="password" style="width:120px" onkeydown="KeyDown(event)"></td>
</tr>
<tr>
<td align="right"><font class="font4"><span id="XSTR_WZD_LANG">Language</span>:</font></td>
<td align="left">
<select tabindex="3" id="langSelect" onchange="langChange()" style="width:120px">
<option value="en">English</option>
<option value="cn">中文</option>
<option value="tc">繁體中文</option>
<option value="nl">Nederlands</option>
<option value="fr">Français</option>
<option value="ru">Русский</option>
<option value="it">Italiano</option>
<option value="es">Español</option>
<option value="jp">日本語</option>
<option value="bg">Български</option>
<option value="slo">Slovenski</option>
<option value="cat">Català</option>
<option value="eus">Euskera</option>
<option value="de">Deutsch</option>
<option value="pt">Português</option>
<option value="cz">Czech</option>
<option value="gl">Gallego</option>
<option value="in">Indonesia</option>
<option value="ma">Malay</option>
<option value="hu">Magyar</option>
<option value="ar">العربية</option>
<option value="uk">Український</option>
<option value="tr">Türkçe</option>
<option value="he">עברית</option>
<option value="pl">Polski</option>
<option value="pe">فارسی</option>
</select>
</td>
</tr>
<tr>
<td></td>
<td><input id="logonButton" type="button" lang="XSTR_LBL_GEN_LOGON" value="Logon" onClick="reqNonce()" class="btninput" tabindex="4"></td>
</tr>
</table>
</div>
<form method="POST" id="login">
<input type="hidden" id="encoded" name="encoded">
<input type="hidden" name="ReturnPage" value="/">
</form>
<br /><br /><br /><br />
<div style="color:red; display:none;" id="errorMsg">
<p><span id="XSTR_HLP_AUTH_ERROR">User Name or Password Error!</span></p>
</div>
</div>
</body>
<script language="javascript" type="text/javascript" defer="defer">
var xmlHttp = null;
var langCookie = new xCookie();
var langSel = document.getElementById("langSelect");
var scrnlang = "it";
var selLang;
var cookLang = langCookie.getCookie("CUR_LANG");
if(cookLang != null && cookLang == scrnlang)
{
selLang = cookLang;
}
else
{
selLang = scrnlang;
langCookie.setCookie("CUR_LANG", selLang, 365);
}
if (!(selLang) >= 0) {
for (i=0; i<langSel.options.length; i++) {
if (langSel.options[i].value == selLang) {
langSel.options[i].selected = true;
break;
}
}
}
if (parseInt("0") == 5) document.getElementById("errorMsg").style.display = "";
else if (parseInt("0") == 6) {
var errorMsg = document.getElementById("errorMsg");
document.getElementById("logonButton").disabled="disabled";
document.getElementById("username").focus();
errorMsg.innerHTML = "<p><span id='XSTR_LBL_ALERT_PHONE_BUSY'>Sorry, the phone is busy now, please try again later!</span></p>";
errorMsg.style.display = "";
}
if (window.focus) self.focus();
//-----------------------multi-lang---------------------------------
var gStrList = new Array();
var gStrId = new xJSon();
var gLangId = new xJSon();
var docAjax = new xAjax("GET", "xstr_list.xst?now=" + new Date().getTime(), false, xmlHookFun);
var xstrHttp = docAjax.xmlHttp;
docAjax.send(null);
function xmlHookFun() {
if (xstrHttp != null) {
if (4 == xstrHttp.readyState) {
if (200 == xstrHttp.status) {
var rows = xstrHttp.responseText.split("\r\n");
var colsLen = rows[0].split("\t").length;
gLangId.addItem("MAX_COLS", colsLen - 1);
for (var i=0; i<rows.length; i++) {
if (rows[i]) {
var cols = rows[i].split("\t");
if (i != 0) gStrList[i - 1] = new Array();
for (var j=0; j<colsLen; j++) {
if (i == 0 && j != 0) {
gLangId.addItem(cols[j], j - 1);
} else {
if (j == 0) gStrId.addItem(cols[j], i - 1);
else gStrList[i - 1][j - 1] = cols[j];
}
}
}
}
if (selLang >= 0) {
for (var i=0; i<langSel.options.length; i++) {
if (gLangId.getItem(langSel.options[i].value) == selLang) {
langSel.options[i].selected = true;
flag = true;
break;
}
}
langChange();
}
gTranslate(selLang);
}
}
}
}
function gTranslate(langId) {
var spans = document.getElementsByTagName("span");
var inps = document.getElementsByTagName("input");
for (var i=0; i<spans.length; i++) {
var id = spans[i].id;
if (id.length > 0) {
var rowIdx = gStrId.getItem(id);
if (rowIdx != null) {
var content = gStrList[rowIdx][gLangId.getItem(langId)];
if (content != null && typeof(content) != "undefined" && content.length > 0) spans[i].innerHTML = content;
}
}
}
for (var i=0; i<inps.length; i++) {
var type = inps[i].getAttribute("type");
if (type == "submit" || type == "button") {
var lang = inps[i].lang;
if (lang.length > 0) {
var rowIdx = gStrId.getItem(lang);
if (rowIdx != null) {
var content = gStrList[rowIdx][gLangId.getItem(langId)];
if (content != null && typeof(content) != "undefined" && content.length > 0) inps[i].value = content;
}
}
}
}
}
//-----------------------end of multi-lang--------------------------
function reqNonce() {
var ajax = new xAjax("GET", "key==nonce?now=" + new Date().getTime(), true, getNonce);
ajax.send(null);
xmlHttp = ajax.xmlHttp;
}
function getNonce() {
if (xmlHttp != null) {
if (4 == xmlHttp.readyState) {
if (200 == xmlHttp.status) {
var cookie = new xCookie();
var nonce = xmlHttp.responseText.substring(0, 16);
cookie.setCookie("auth", nonce, 1);
encode(nonce);
} else {
var errorMsg = document.getElementById("errorMsg");
document.getElementById("username").focus();
errorMsg.innerHTML = "<p><span id='XSTR_LBL_GEN_BAD_SVR'>Server Too Busy!</span></p>";
errorMsg.style.display = "";
}
}
}
}
function KeyDown(event) {
if (event.keyCode == 13) {
event.returnValue = false;
event.cancel = true;
reqNonce();
}
}
function langChange() {
var langNewCookie = new xCookie();
langCookie.setCookie("CUR_LANG", langSel.value, 365);
langNewCookie.setCookie("CUR_NEW_LANG", langSel.value, 365);
gTranslate(langSel.value);
}
function refreshpage() {
if (window.top.parent.frames["main"] != null) {
parent.location.href = parent.location.href;
}
document.getElementById("username").focus();
}
//---------------------------------------------------
function array(n) {
for (i=0; i<n; i++) this[i] = 0;
this.length = n;
}
function integer(n) { return n % (0xffffffff + 1); }
function shr(a, b) {
a = integer(a);
b = integer(b);
if (a - 0x80000000 >= 0) {
a = a % 0x80000000;
a >>= b;
a += 0x40000000 >> (b - 1);
} else {
a >>= b;
}
return a;
}
function shl1(a) {
a = a % 0x80000000;
if (a & 0x40000000 == 0x40000000) {
a -= 0x40000000;
a *= 2;
a += 0x80000000;
} else {
a*=2;
}
return a;
}
function shl(a, b) {
a = integer(a);
b = integer(b);
for (var i=0; i<b; i++) a=shl1(a);
return a;
}
function and(a, b) {
a = integer(a);
b = integer(b);
var t1 = (a - 0x80000000);
var t2 = (b - 0x80000000);
if (t1 >= 0) {
if (t2 >= 0) return ((t1 & t2) + 0x80000000);
else return (t1 & b);
} else {
if (t2 >= 0) return (a & t2);
else return (a & b);
}
}
function or(a, b) {
a = integer(a);
b = integer(b);
var t1 = (a - 0x80000000);
var t2 = (b - 0x80000000);
if (t1 >= 0) {
if (t2 >= 0) return ((t1 | t2) + 0x80000000);
else return ((t1 | b) + 0x80000000);
} else {
if (t2 >= 0) return ((a | t2) + 0x80000000);
else return (a | b);
}
}
function xor(a, b) {
a = integer(a);
b = integer(b);
var t1 = (a-0x80000000);
var t2 = (b-0x80000000);
if (t1>=0) {
if (t2 >= 0) return (t1 ^ t2);
else return ((t1 ^ b) + 0x80000000);
} else {
if (t2 >= 0) return ((a ^ t2) + 0x80000000);
else return (a ^ b);
}
}
function not(a) {
a = integer(a);
return (0xffffffff - a);
}
/* Here begin the real algorithm */
var state = new array(4);
var count = new array(2);
count[0] = 0;
count[1] = 0;
var buffer = new array(64);
var transformBuffer = new array(16);
var digestBits = new array(16);
var S11 = 7, S12 = 12, S13 = 17, S14 = 22, S21 = 5, S22 = 9, S23 = 14, S24 = 20;
var S31 = 4, S32 = 11, S33 = 16, S34 = 23, S41 = 6, S42 = 10, S43 = 15, S44 = 21;
function F(x, y, z) { return or(and(x, y), and(not(x), z)); }
function G(x, y, z) { return or(and(x, z), and(y, not(z))); }
function H(x, y, z) { return xor(xor(x, y), z); }
function I(x, y, z) { return xor(y, or(x, not(z))); }
function rotateLeft(a, n) { return or(shl(a, n), (shr(a, (32-n)))); }
function FF(a, b, c, d, x, s, ac) {
a = a + F(b, c, d) + x + ac;
a = rotateLeft(a, s);
a = a + b;
return a;
}
function GG(a, b, c, d, x, s, ac) {
a = a + G(b, c, d) + x + ac;
a = rotateLeft(a, s);
a = a + b;
return a;
}
function HH(a, b, c, d, x, s, ac) {
a = a + H(b, c, d) + x + ac;
a = rotateLeft(a, s);
a = a + b;
return a;
}
function II(a, b, c, d, x, s, ac) {
a = a + I(b, c, d) + x + ac;
a = rotateLeft(a, s);
a = a + b;
return a;
}
function transform(buf, offset) {
var a=0, b=0, c=0, d=0;
var x = transformBuffer;
a = state[0];
b = state[1];
c = state[2];
d = state[3];
for (i=0; i<16; i++) {
x[i] = and(buf[i * 4 + offset], 0xff);
for (j = 1; j < 4; j++) x[i]+=shl(and(buf[i*4+j+offset] ,0xff), j * 8);
}
/* Round 1 */
a = FF ( a, b, c, d, x[ 0], S11, 0xd76aa478); /* 1 */
d = FF ( d, a, b, c, x[ 1], S12, 0xe8c7b756); /* 2 */
c = FF ( c, d, a, b, x[ 2], S13, 0x242070db); /* 3 */
b = FF ( b, c, d, a, x[ 3], S14, 0xc1bdceee); /* 4 */
a = FF ( a, b, c, d, x[ 4], S11, 0xf57c0faf); /* 5 */
d = FF ( d, a, b, c, x[ 5], S12, 0x4787c62a); /* 6 */
c = FF ( c, d, a, b, x[ 6], S13, 0xa8304613); /* 7 */
b = FF ( b, c, d, a, x[ 7], S14, 0xfd469501); /* 8 */
a = FF ( a, b, c, d, x[ 8], S11, 0x698098d8); /* 9 */
d = FF ( d, a, b, c, x[ 9], S12, 0x8b44f7af); /* 10 */
c = FF ( c, d, a, b, x[10], S13, 0xffff5bb1); /* 11 */
b = FF ( b, c, d, a, x[11], S14, 0x895cd7be); /* 12 */
a = FF ( a, b, c, d, x[12], S11, 0x6b901122); /* 13 */
d = FF ( d, a, b, c, x[13], S12, 0xfd987193); /* 14 */
c = FF ( c, d, a, b, x[14], S13, 0xa679438e); /* 15 */
b = FF ( b, c, d, a, x[15], S14, 0x49b40821); /* 16 */
/* Round 2 */
a = GG ( a, b, c, d, x[ 1], S21, 0xf61e2562); /* 17 */
d = GG ( d, a, b, c, x[ 6], S22, 0xc040b340); /* 18 */
c = GG ( c, d, a, b, x[11], S23, 0x265e5a51); /* 19 */
b = GG ( b, c, d, a, x[ 0], S24, 0xe9b6c7aa); /* 20 */
a = GG ( a, b, c, d, x[ 5], S21, 0xd62f105d); /* 21 */
d = GG ( d, a, b, c, x[10], S22, 0x2441453); /* 22 */
c = GG ( c, d, a, b, x[15], S23, 0xd8a1e681); /* 23 */
b = GG ( b, c, d, a, x[ 4], S24, 0xe7d3fbc8); /* 24 */
a = GG ( a, b, c, d, x[ 9], S21, 0x21e1cde6); /* 25 */
d = GG ( d, a, b, c, x[14], S22, 0xc33707d6); /* 26 */
c = GG ( c, d, a, b, x[ 3], S23, 0xf4d50d87); /* 27 */
b = GG ( b, c, d, a, x[ 8], S24, 0x455a14ed); /* 28 */
a = GG ( a, b, c, d, x[13], S21, 0xa9e3e905); /* 29 */
d = GG ( d, a, b, c, x[ 2], S22, 0xfcefa3f8); /* 30 */
c = GG ( c, d, a, b, x[ 7], S23, 0x676f02d9); /* 31 */
b = GG ( b, c, d, a, x[12], S24, 0x8d2a4c8a); /* 32 */
/* Round 3 */
a = HH ( a, b, c, d, x[ 5], S31, 0xfffa3942); /* 33 */
d = HH ( d, a, b, c, x[ 8], S32, 0x8771f681); /* 34 */
c = HH ( c, d, a, b, x[11], S33, 0x6d9d6122); /* 35 */
b = HH ( b, c, d, a, x[14], S34, 0xfde5380c); /* 36 */
a = HH ( a, b, c, d, x[ 1], S31, 0xa4beea44); /* 37 */
d = HH ( d, a, b, c, x[ 4], S32, 0x4bdecfa9); /* 38 */
c = HH ( c, d, a, b, x[ 7], S33, 0xf6bb4b60); /* 39 */
b = HH ( b, c, d, a, x[10], S34, 0xbebfbc70); /* 40 */
a = HH ( a, b, c, d, x[13], S31, 0x289b7ec6); /* 41 */
d = HH ( d, a, b, c, x[ 0], S32, 0xeaa127fa); /* 42 */
c = HH ( c, d, a, b, x[ 3], S33, 0xd4ef3085); /* 43 */
b = HH ( b, c, d, a, x[ 6], S34, 0x4881d05); /* 44 */
a = HH ( a, b, c, d, x[ 9], S31, 0xd9d4d039); /* 45 */
d = HH ( d, a, b, c, x[12], S32, 0xe6db99e5); /* 46 */
c = HH ( c, d, a, b, x[15], S33, 0x1fa27cf8); /* 47 */
b = HH ( b, c, d, a, x[ 2], S34, 0xc4ac5665); /* 48 */
/* Round 4 */
a = II ( a, b, c, d, x[ 0], S41, 0xf4292244); /* 49 */
d = II ( d, a, b, c, x[ 7], S42, 0x432aff97); /* 50 */
c = II ( c, d, a, b, x[14], S43, 0xab9423a7); /* 51 */
b = II ( b, c, d, a, x[ 5], S44, 0xfc93a039); /* 52 */
a = II ( a, b, c, d, x[12], S41, 0x655b59c3); /* 53 */
d = II ( d, a, b, c, x[ 3], S42, 0x8f0ccc92); /* 54 */
c = II ( c, d, a, b, x[10], S43, 0xffeff47d); /* 55 */
b = II ( b, c, d, a, x[ 1], S44, 0x85845dd1); /* 56 */
a = II ( a, b, c, d, x[ 8], S41, 0x6fa87e4f); /* 57 */
d = II ( d, a, b, c, x[15], S42, 0xfe2ce6e0); /* 58 */
c = II ( c, d, a, b, x[ 6], S43, 0xa3014314); /* 59 */
b = II ( b, c, d, a, x[13], S44, 0x4e0811a1); /* 60 */
a = II ( a, b, c, d, x[ 4], S41, 0xf7537e82); /* 61 */
d = II ( d, a, b, c, x[11], S42, 0xbd3af235); /* 62 */
c = II ( c, d, a, b, x[ 2], S43, 0x2ad7d2bb); /* 63 */
b = II ( b, c, d, a, x[ 9], S44, 0xeb86d391); /* 64 */
state[0] += a;
state[1] += b;
state[2] += c;
state[3] += d;
}
function init() {
count[0] = count[1] = 0;
state[0] = 0x67452301;
state[1] = 0xefcdab89;
state[2] = 0x98badcfe;
state[3] = 0x10325476;
for (i=0; i<digestBits.length; i++) digestBits[i] = 0;
}
function update(b) {
var index, i;
index = and(shr(count[0], 3), 0x3f);
if (count[0] < 0xffffffff-7) {
count[0] += 8;
} else {
count[1]++;
count[0] -= 0xffffffff + 1;
count[0] += 8;
}
buffer[index] = and(b, 0xff);
if (index >= 63) {
transform(buffer, 0);
}
}
function finish() {
var bits = new array(8);
var padding;
var i=0, index=0, padLen=0;
for (i=0; i<4; i++) bits[i] = and(shr(count[0],(i * 8)), 0xff);
for (i=0; i<4; i++) bits[i + 4] = and(shr(count[1],(i * 8)), 0xff);
index = and(shr(count[0], 3) ,0x3f);
padLen = (index < 56) ? (56 - index) : (120 - index);
padding = new array(64);
padding[0] = 0x80;
for (i=0; i<padLen; i++) update(padding[i]);
for (i=0; i<8; i++) update(bits[i]);
for (i=0; i<4; i++) {
for (j=0; j<4; j++) {
digestBits[i * 4 + j] = and(shr(state[i], (j * 8)) , 0xff);
}
}
}
/* End of the MD5 algorithm */
function hexa(n) {
var hexa_h = "0123456789abcdef";
var hexa_c = "";
var hexa_m = n;
for (hexa_i=0; hexa_i<8; hexa_i++) {
hexa_c = hexa_h.charAt(Math.abs(hexa_m) % 16) + hexa_c;
hexa_m = Math.floor(hexa_m / 16);
}
return hexa_c;
}
var ascii = "01234567890123456789012345678901"
+ " !\"#" + '\$'
+ "%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ"
+ "[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~";
function md5(entree) {
var l,s,k,ka,kb,kc,kd;
init();
for (k=0; k<entree.length; k++) {
l = entree.charAt(k);
update(ascii.lastIndexOf(l));
}
finish();
ka = kb = kc = kd = 0;
for (i=0;i<4;i++) ka += shl(digestBits[15-i], (i*8));
for (i=4;i<8;i++) kb += shl(digestBits[15-i], ((i-4)*8));
for (i=8;i<12;i++) kc += shl(digestBits[15-i], ((i-8)*8));
for (i=12;i<16;i++) kd += shl(digestBits[15-i], ((i-12)*8));
s = hexa(kd) + hexa(kc) + hexa(kb) + hexa(ka);
return s;
}
function encode(nonce) {
document.getElementById("encoded").value = document.getElementById("username").value + ":"
+ md5(document.getElementById("username").value + ":" + document.getElementById("password").value + ":" + nonce);
document.getElementById("login").submit();
}
</script>
</html>
如您所见,在结束body标记之后,有一个JavaScript可以使用一种“基于时间的哈希”来转换输入的数据,以确保安全,我认为它是在注释行之后开始的
/* Here begin the real algorithm */
因此,如果尝试从chrome的检查器中复制curl命令,我将获得以下内容:
curl 'http://192.168.25.176/' -H 'Connection: keep-alive' -H 'Cache-Control: max-age=0' -H 'Origin: http://192.168.25.176' -H 'Upgrade-Insecure-Requests: 1' -H 'Content-Type: application/x-www-form-urlencoded' -H 'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36' -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3' -H 'Referer: http://192.168.25.176/' -H 'Accept-Encoding: gzip, deflate' -H 'Accept-Language: it-IT,it;q=0.9,en-US;q=0.8,en;q=0.7' -H 'Cookie: CTCPgSz=10; CUR_LANG=it; CUR_NEW_LANG=it; CLogPgSz=10; auth=c0a8194f002099a2' --data 'encoded=admin%3Ac087f3ff091daaf5d8ddcaf0d17fac4f&ReturnPage=%2F' --compressed --insecure
但是很明显,它将始终返回导致该字符串的登录页面
'encoded=admin%3Ac087f3ff091daaf5d8ddcaf0d17fac4f&ReturnPage=%2F'
是由chrome会话而不是curl命令生成的。 任何建议从我的命令行在curl命令之前将输入数据提交到javascript吗?? 非常感谢