🔒 Closed How to login to a website weith verification token ? using curl

[krischan039]

Here's my code

define('UserName', 'sample@gmail.com');
define('Password', 'samplesample');
define('_RequestVerificationToken',"'');
define('KeepMeLoggedIn','TRUE');
define('USER_AGENT', 'Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36');
define('COOKIE_FILE', 'account.txt');
define('LOGIN_FORM_URL', 'You do not have permission to view the full content of this post. Log in or register now.
define('LOGIN_ACTION_URL', 'You do not have permission to view the full content of this post. Log in or register now.

$postValues = array('UserName'=>'sample@gmail.com','Password'=>'samplesample ',''_RequestVerificationToken''=>"");
$curl = curl_init();
curl_setopt($curl, CURLOPT_URL, LOGIN_ACTION_URL);
curl_setopt($curl, CURLOPT_POST, true);
curl_setopt($curl, CURLOPT_POSTFIELDS, http_build_query($postValues));
curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, false);
curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($curl, CURLOPT_COOKIEJAR, COOKIE_FILE);
curl_setopt($curl, CURLOPT_USERAGENT, USER_AGENT);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
curl_setopt($curl, CURLOPT_REFERER, LOGIN_FORM_URL);
curl_setopt($curl, CURLOPT_FOLLOWLOCATION, false);
curl_exec($curl);
if(curl_errno($curl)){
throw new Exception(curl_error($curl));
}
//protected page
curl_setopt($curl, CURLOPT_URL, 'You do not have permission to view the full content of this post. Log in or register now.
curl_setopt($curl, CURLOPT_COOKIEJAR, COOKIE_FILE);
curl_setopt($curl, CURLOPT_USERAGENT, USER_AGENT);
curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, false);
curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, false);

$output = curl_exec($curl);
curl_close($curl);
echo $output;exit;

 

[krischan039]

Here's the link You do not have permission to view the full content of this post. Log in or register now.

 

[Deleted member 1207647]

up for this, useful for not so legal stuff

 

[krischan039]

up for this, useful for not so legal stuff

a little bit legal xD

 

[Ez2Me]

Thanks ts

 

[Ez2Me]

Btw saan lalagay code nayan? Sa inspect element ba

 

[krischan039]

Btw saan lalagay code nayan? Sa inspect element ba

sa may codes mo na

 

[Ez2Me]

sa may codes mo na

San po

 

[lunatic]

Anong klase codes to?

 

[krischan039]

Anong klase codes to?

php curl

 

[marlosoft]

much better sir kung i-echo mo ung mga curl_error para macheck mo kung anong mali..
refs: You do not have permission to view the full content of this post. Log in or register now.

also, mukang csrf token ung _RequestVerificationToken so you need to get it from the login page instead of using constants. dynamically generated kasi ang values nun.

 

[krischan039]

much better sir kung i-echo mo ung mga curl_error para macheck mo kung anong mali..
refs: You do not have permission to view the full content of this post. Log in or register now.

also, mukang csrf token ung _RequestVerificationToken so you need to get it from the login page instead of using constants. dynamically generated kasi ang values nun.

preg_match_all('/^Set-Cookie:\s*([^;]*)/mi', $out, $matches);

$cookies = array();
// print_r($matches);
foreach($matches[1] as $item) {
$data = parse_str($item, $cookie);

$cookies = array_merge($cookies, $cookie);

}
for the dynamic token

 

[Curious Pepe]

wait. ano to function na nagbabato ng random "accounts" sa form ng login ng bestjobs?
nagpphp ako pero di ko alam kung ano ang curl.. para bang ES6 yan ng Javascript?

 

[pixkit]

wait. ano to function na nagbabato ng random "accounts" sa form ng login ng bestjobs?
nagpphp ako pero di ko alam kung ano ang curl.. para bang ES6 yan ng Javascript?

You do not have permission to view the full content of this post. Log in or register now.

 

[marlosoft]

preg_match_all('/^Set-Cookie:\s*([^;]*)/mi', $out, $matches);

$cookies = array();
// print_r($matches);
foreach($matches[1] as $item) {
$data = parse_str($item, $cookie);

$cookies = array_merge($cookies, $cookie);

}
for the dynamic token

This is for the response cookies. ang dapat na match mo is ung value nung hidden input with "_RequestVerificationToken" name.. possible na makuha mo dito is session cookies lang and not the CSRF token.

 

[marlosoft]

This is what you need to do:

1. Curl login page with GET method.
2. Extract hidden input with "_RequestVerificationToken" name from the HTML response
3. Curl login page with POST method and post data as the ff:

array(
    'UserName'=>'sample@gmail.com',
    'Password'=>'samplesample ',
    '_RequestVerificationToken' => null, /** value ng extracted hidden input **/
);

4. Curl company's url then extract anything you want to get.

 

[krischan039]

This is for the response cookies. ang dapat na match mo is ung value nung hidden input with "_RequestVerificationToken" name.. possible na makuha mo dito is session cookies lang and not the CSRF token.

preg_match_all('/_RequestVerificationToken(.*?)\/>/',$out, $data);
$data1 = $data[1];
foreach($data1 as $row){
if(preg_match_all('/value="(.*?)"/',$row,$tokens)){
$token = $tokens[1];
}
}
Here

 

[marlosoft]

preg_match_all('/_RequestVerificationToken(.*?)\/>/',$out, $data);
$data1 = $data[1];
foreach($data1 as $row){
if(preg_match_all('/value="(.*?)"/',$row,$tokens)){
$token = $tokens[1];
}
}
Here

i think okay naman. pero much better kung isang pattern nalang gagamitin mo for preg match but it requires more knowledge about regex.. patry nalang sir kung gagana sayo.

 

[Migfus]

Pwede ako maka inject dyan sa website mo ? For educational purpose lng.