Kitz ADSL Broadband Information
adsl spacer  
Support this site
Home Broadband ISPs Tech Routers Wiki Forum
 
     
   Compare ISP   Rate your ISP
   Glossary   Glossary
 
Please login or register.

Login with username, password and session length
Advanced search  

News:

Author Topic: Help with logging into HG612 from VB (C# or C++ suggestions welcomed)  (Read 9087 times)

Blackeagle

  • Reg Member
  • ***
  • Posts: 257

OK so, the login page of the HG612 contains some not finished, or certainly not maniputable, HTML.

Normally, to fill in a value on a web generated form, one would simply set the value attribute of the required elementId and then call the 'submit' action of the correct button to actually 'click' it.  In this case though, instead of the code looking like
Code: [Select]
<input id="txt_Username" type="text" name="Username" value ="" style="height:22px; width:155px;font-family:Arial;">there is no value field present so the actual code looks like
Code: [Select]
<input id="txt_Username" type="text" name="Username" style="height:22px; width:155px;font-family:Arial;">
Does anyone know how to manipulate this ?

VB would normally be something like
Code: [Select]
WebBrowser1.Document.GetElementById("txt_Username").Value = username but as there is no value field defined, I can't therefore set it  :no:

Ideas very welcome,  languages other than VB 2008/.NET also useful as I can most likely convert between them.

I've tried logging in using the 'login.cgi' page which is called via the 'submit' action of the form, but providing this with the required credentials from Firefox results in a 'cookies are not enabled' error.  Calling the same URL with VB does not give the cookies error, but doesn't log in either ??  ??? ???
Logged
ASCII stupid question, get a stupid ANSI -- TalkTalk Broadband since 2006

asbokid

  • Kitizen
  • ****
  • Posts: 1286
    • Hacking the 2Wire

Hello BlackEagle,

As you note, the Huawei's login page references the following Javascript function:

Code: [Select]
function SubmitForm() {
   var Username = document.getElementById('txt_Username');
   var Password = document.getElementById('txt_Password'); // ...
   if (document.cookie == '') {
      var cookie = "LoginTimes=" + initcount + ":" +  "LoginOverTime=" + inittime + "; path=/";
      document.cookie = cookie;
   }
   var cookie = "FirstMenu=" + firmenu + "; path=/";
   document.cookie = cookie;
   var cookie = "SecondMenu=" + secmenu + "; path=/";
   document.cookie = cookie;
   var cookie = "ThirdMenu=" + thirdmenu + "; path=/";
   document.cookie = cookie;
   var lantype = getSelectVal('Language');
   var form = new webSubmitForm();
   form.setAction('login.cgi?Username='+ Username.value + '&Password=' + base64encode(Password.value) + '&Language=' + lantype + '&RequestFile=html/content.asp');
   form.submit();
   return true;
}

It's a lot easier to look at this from the application layer (HTTP) using a packet sniffer like ethereal or wireshark  [1]

Filtering the packets of interest, we can see the request and response between browser and Huawei.

Specifically, below, we see that:

  • the HTTP POST method (rather than the HTTP GET method) is used.
  • the username and password are encoded in the URL (rather than in the HTTP headers)
  • the default password ("admin") is base64 encoded (as "YWRtaW4") in the URL
  • other bits of chaff are encoded in the URL (Language and RequestFile)   and most importantly;
  • a Cookie called sessionID is returned by the Huawei

Code: [Select]
No.     Time        Source                Destination           Protocol Length Info
    258 241.917923  192.168.1.2           192.168.1.1           HTTP     654    POST /login.cgi?Username=admin&Password=YWRtaW4=&Language=0&RequestFile=html/content.asp HTTP/1.1

Frame 258: 654 bytes on wire (5232 bits), 654 bytes captured (5232 bits)
Ethernet II, Src: Dell_a2:42:e7 (14:fe:b5:a2:42:e7), Dst: AskeyCom_b7:91:7e (b4:82:fe:b7:91:7e)
Internet Protocol Version 4, Src: 192.168.1.2 (192.168.1.2), Dst: 192.168.1.1 (192.168.1.1)
Transmission Control Protocol, Src Port: 37566 (37566), Dst Port: http (80), Seq: 1, Ack: 1, Len: 588
Hypertext Transfer Protocol
    POST /login.cgi?Username=admin&Password=YWRtaW4=&Language=0&RequestFile=html/content.asp HTTP/1.1\r\n
    Host: 192.168.1.1\r\n
    User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:10.0.4) Gecko/20100101 Firefox/10.0.4 Iceweasel/10.0.4\r\n
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n
    Accept-Language: en-gb,zh-cn;q=0.5\r\n
    Accept-Encoding: gzip, deflate\r\n
    Connection: keep-alive\r\n
    Referer: http://192.168.1.1/\r\n
    Cookie: LoginTimes=0:LoginOverTime=0; FirstMenu=Admin_0; SecondMenu=Admin_0_0; ThirdMenu=Admin_0_0_0\r\n
    Content-Type: application/x-www-form-urlencoded\r\n
    Content-Length: 0\r\n
    \r\n

And here's the HTTP response from the Huawei.
Note in its response, the Huawei sets the sessionID cookie in the browser.

Code: [Select]
No.     Time        Source                Destination           Protocol Length Info
    262 241.920835  192.168.1.1           192.168.1.2           HTTP     341    HTTP/1.1 200 OK  (text/html)

Frame 262: 341 bytes on wire (2728 bits), 341 bytes captured (2728 bits)
Ethernet II, Src: AskeyCom_b7:91:7e (b4:82:fe:b7:91:7e), Dst: Dell_a2:42:e7 (14:fe:b5:a2:42:e7)
Internet Protocol Version 4, Src: 192.168.1.1 (192.168.1.1), Dst: 192.168.1.2 (192.168.1.2)
Transmission Control Protocol, Src Port: http (80), Dst Port: 37566 (37566), Seq: 294, Ack: 589, Len: 275
Hypertext Transfer Protocol
    HTTP/1.1 200 OK\r\n
    ....
    Set-cookie:sessionID=1498623489769804; path=/\r\n
    Set-cookie:Language=English; path=/\r\n
    Set-cookie:ThirdMenu=Admin_0_0_0; path=/\r\n
    Set-cookie:SecondMenu=Admin_0_0; path=/\r\n
    Set-cookie:FirstMenu=Admin_0; path=/\r\n
    Content-Type:text/html\r\n
    Transfer-Encoding:chunked\r\n
    Connection:Close\r\n
    \r\n

    <html>\n
    <head>\n
    <meta http-equiv="Content-Type" content="text/html; charset=gb2312" />\n
    <title>replace</title>\n
    <body>\n
    <script language="JavaScript" type="text/javascript">\n
    var pageName = '/html/content.asp';\n
    top.location.replace(pageName);\n
    </script>\n
    </body>\n
    </html>\n

So the key to getting authentication to work is to save that sessionID returned in the Huawei's HTTP response.

The sessionID field and its value must then be added to the HTTP Cookie header in all subsequent HTTP requests in this current session.

Does that make sense?

cheers, a

[1] http://www.wireshark.org/
« Last Edit: June 24, 2012, 02:06:07 AM by asbokid »
Logged

kitz

  • Administrator
  • Senior Kitizen
  • *
  • Posts: 33881
  • Trinity: Most guys do.
    • http://www.kitz.co.uk

A html form doesnt need a value element, as the value is obtained from the user input into the form field. 
value="" can be used to initialise the field with a null value, or can be used to input a value into a hidden field.
The element name="" isnt required either if you are using the getElementById method **



If you use document.getElementById('txt_Username'); it will return the Username element input by the user  eg

Code: [Select]
var Username = document.getElementById('txt_Username');
You can then do a couple of things to assign a value to the variable

1) Use Username.value to directly refer to the user input at any point in your code.
2) Assign a permanent new variable
 
Code: [Select]
var User_name = Username.value;
OR You could simply cut out all the above steps and directly assign a new variable to the user input by using the following regardless if the value element in the field has been initialised or not:-

Code: [Select]
var Username = document.getElementById('txt_Username').value;

To put it simply, in this particular case method  document.getElementById('txt_Username').value; means:- give me the user input typed into the text field with element id=txt_Username

The fact that getElementById isnt working in this case is likely due to something else  :( (See the cookies stuff by asbo)


**
The name field can be accessed using the method document.forms[0].name, in which case the id field is ignored.
whilst document.getElementById() concentrates purely on the id field and its input value and ignores the rest.
Either method can be used (name or id).. personally I prefer getElementbyId.
Logged
Please do not PM me with queries for broadband help as I may not be able to respond.
-----
How to get your router line stats :: ADSL Exchange Checker

Blackeagle

  • Reg Member
  • ***
  • Posts: 257

I was aware of the cookie stuff because its in the javascript on the login page, however I was kinda hoping that VB's built in webbrowser object would handle all that automatically.

I've tried setting the required attributes with

document.getElementById("Txt_Username").setAttribute("Value","Admin")
document.getElementById("Txt_Password").setAttribute("Value","Admin")
document.getElementById("btnLogin").InvokeMember("click")


For some reason that doesn't appear to work, although it should appear to the Huawei that the text has been typed in and the button clicked.  I therefore assumed, perhaps wrongly, that the reason was that the value field was not defined in the html code, although I must confess that at the time I may have been suffering from slightly too much of Russia's finest export to make a coherent judgement on that  :-[

I shall look at my code again with a clearer head.  Hopefully I won't have to use GET & POST and mess around setting up headers etc but if its going to be the only way then I guess I will have to.
Logged
ASCII stupid question, get a stupid ANSI -- TalkTalk Broadband since 2006

Blackeagle

  • Reg Member
  • ***
  • Posts: 257

***UPDATE***

Done it !!  :P

Right, there was nothing wrong with the code above, BUT the way I was trying to determine if the page had completed loading before filling in the required data was flawed.  I was using webbrowser1.document.readystate to try to determine this, but have now moved the login code to a sub, automatically fired by webbrowser1 as follows

Private Sub WebBrowser1_DocumentCompleted(ByVal sender As System.Object, ByVal e As System.Windows.Forms.WebBrowserDocumentCompletedEventArgs) Handles WebBrowser1.DocumentCompleted
       


Putting the login code in this sub works beautifully and cookies are handled automatically by the webbrowser object, as expected.

Next step is to test against other routers with html logins (HG533 is the same) as I want this program to be able to handle multiple routers and modems.  I've already written login routines for routers which return 401 Unauthorised headers.

Once all this is working correctly, I'll start pulling stats from the html pages and once thats working, I'll have a go at a telnet session for the routers which either require it, or can return extra data that way.
Logged
ASCII stupid question, get a stupid ANSI -- TalkTalk Broadband since 2006

kitz

  • Administrator
  • Senior Kitizen
  • *
  • Posts: 33881
  • Trinity: Most guys do.
    • http://www.kitz.co.uk

>>> but have now moved the login code to a sub,

I dont program in VB, but I think I understand what you've done.  Glad you sorted it :)

Good luck with the rest of  the code :D
Logged
Please do not PM me with queries for broadband help as I may not be able to respond.
-----
How to get your router line stats :: ADSL Exchange Checker

Blackeagle

  • Reg Member
  • ***
  • Posts: 257

Thanks Kitz, probably need more than just luck !!

Basically, what I've done is move the code into a subroutine which automatically fires when the webbrowser object completes the page load.  Prior to this I was trying to check and handle the finished load myself, which is where I was coming unstuck. Doing it this way means I don't have to loop and keep checking for load states.
Logged
ASCII stupid question, get a stupid ANSI -- TalkTalk Broadband since 2006

asbokid

  • Kitizen
  • ****
  • Posts: 1286
    • Hacking the 2Wire

Great stuff, blackeagle!

cheers, a
Logged