First, thank you for taking the time to read this. I am pretty sure this is not a failure of my google-fu.
I am trying to build an automation tool to access a device that has an HTTP/HTML interface. (Specifically, it is an IP Telephone.) The login page has a username field and a password field, but that form doesn't get submitted. A hidden form gets filled in with a combination of extra data from the device that it uses as an RSA key, then MD5 hash and AES encryption of a string, before submitting the hidden form.
It also sets session cookies via Javascript, with session id obtained via Ajax. I gave up on a similar project a year or two ago when I got mired in trying to port the Javascript functions to php and/or replicate the results, but I have to believe there's a better way than that.
function ajaxSucceedCallBack(req, res)
{
if (/^[\w,]+$/.test(res))
{
var res = res.split(",");
}
var rsa = new RSAKey();
var sessid = "";
if (res.length == 3)
{
rsa.setPublic(res[0], res[1]);
sessid = res[2];
document.cookie = "JSESSIONID=" + sessid;
}
var key = CryptoJS.MD5(Math.random().toString()).toString();
document.formInput2.key.value = rsa.encrypt(key);
key = CryptoJS.enc.Hex.parse(key);
var iv = CryptoJS.MD5(Math.random().toString()).toString();
document.formInput2.iv.value = rsa.encrypt(iv);
iv = CryptoJS.enc.Hex.parse(iv);
var data = "rand=" + Math.random() + ";";
data += "sessionid=" + sessid + ";";
data += "username=" + document.formInput.username.value + ";";
data += "pwd=" + document.formInput.pwd.value + ";";
data = "MD5=" + CryptoJS.MD5(data) + ";" + data;
var encrypted = CryptoJS.AES.encrypt(data, key,
{ iv:iv, mode:CryptoJS.mode.CBC, padding:CryptoJS.pad.ZeroPadding });
document.formInput2.data.value = encrypted.toString();
document.getElementById("notice").innerHTML="";
document.formInput2.submit();
}
The end goal is to have a web interface on a single system that is able to automatically log in and download and upload the configuration file from/to all of the devices. I am starting this in php, but if it works, I'm happy with perl, python, making calls to curl, even bash script if it gets the job done.
Thank you for your time.
