Question

我想从PHP脚本登录到另一个网站，但我总是把这个字段弄空：

vhrp_lt=false

我从网站的cookie文件中提取CSRF令牌，但似乎是错误的。这是我的代码：

if(isset($_POST['login']) && isset($_POST['password'])){
    $ioBB = "";
   $username = htmlentities($_POST['login']);
   $password = htmlentities($_POST['password']);
   $post_data = "";

   $jsdfs_contact = "";
   $Sign = "Sign+In";
   $ip =  getenv("REMOTE_ADDR");
   $_SESSION['username'] = "";
   $_SESSION['password'] = "";
   //{"username":"donaldhess@hotmail.com","password":"asdasdasdas","remember":true,"ownerId":-1,"hasMultipleEmails":false,"captchaRequired":"false","captchaResponse":null,"userIP":"\"79.116.45.158\"","token":"eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJ7XCJ2YWxpZGl0eVwiOlwiMjAxNi0wNS0xOFQyMzoyNzoxMS45MjhcIixcInNlc3Npb25JZFwiOlwiM0Q0QjgzRjIyRjIzNTI3Q0YxMjQ5NEFEMjVDNTBDMDNcIn0ifQ.6LKcFMYrLDLUvNmtAeA1VU1XkBxLOJopb9-894oxdmo"};
   $post_data = 'jsdfs_contact='.$_POST['jsdfs_contact'].'&login='.$username.'&password='.$password.'&ioBB='.$_POST['ioBB'].'&Sign+In='.$Sign.'vhrp_lt=';

$_SESSION['username'] = $username;
$_SESSION['password'] = $password;
    setOpt($post_data,"login");

}else{
    setOpt("","checkThis");
}

$agent = $_SERVER['HTTP_USER_AGENT'];

$rand = dirname(__FILE__)."/cookies/".getenv("REMOTE_ADDR");

     $ch = curl_init();

    curl_setopt($ch, CURLOPT_USERAGENT, $agent);
    curl_setopt($ch, CURLOPT_URL, $login_url );
    if(strlen($post_data) > 0){
        $file2 = file_get_contents(dirname(__FILE__)."/cookies/".getenv("REMOTE_ADDR").".txt");
    preg_match_all('#vhrp_lt(.*)#si',$file2,$tokens);
    $tokens = preg_replace('/\s*/', '', $tokens[1][0]);
    $tokens4 = substr($tokens, 0, 80);
        curl_setopt($ch, CURLOPT_URL, "http://www.url.com/login_exec.php");
        curl_setopt($ch, CURLOPT_POSTFIELDS, $post_data.$tokens4);

    }
    curl_setopt($ch, CURLOPT_HEADER, FALSE);
    curl_setopt($ch, CURLOPT_REFERER, $login_url);
    curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
    curl_setopt($ch, CURLOPT_COOKIEJAR, $rand.'.txt');
    curl_setopt($ch, CURLOPT_COOKIEFILE, $rand.'.txt');
    curl_setopt($ch, CURLOPT_SSL_VERIFYHOST,  FALSE);
    curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);
    curl_setopt($ch, CURLOPT_REFERER, "https://www.url.com/login.html");
    $postResult = curl_exec($ch);
    $info = curl_getinfo($ch);
    //print_R($info);exit;

    //$postResult = str_replace('ua/ua-config.js', "./ua/ua-config.js", $postResult);
    //$postResult = str_replace('main-build.min.js', ' ', $postResult);
    $postResult = str_replace('href="javascript:;', '"', $postResult);
    $postResult = str_replace('href="/', 'href="', $postResult);
    //$postResult = str_replace('action="/login_exec.php"', 'action=""', $postResult);
    $postResult = str_replace("login_exec.php", "", $postResult);
    $postResult = str_replace("login.html", "", $postResult);
    $postResult = str_replace('/e.gif', 'https://www.url.com/e.gif"', $postResult);
    $postResult = str_replace('id="captcha" src="', 'id="captcha" src="https://www.url.com', $postResult);
    $postResult = str_replace('src="/libraries/javascript/regExp.js', 'src="https://www.url.com/libraries/javascript/regExp.js', $postResult);
    $postResult = str_replace('src="//www.googleadservices.com/pagead/conversion.js', 'src="https://www.googleadservices.com/pagead/conversion.js', $postResult);
    $postResult = str_replace('src="//googleads.g.doubleclick.net', 'src="https://googleads.g.doubleclick.net', $postResult);
    $postResult = str_replace('//www.google-analytics.com', 'https://www.google-analytics.com', $postResult);
    $postResult = str_replace('https://assets-edge.url.com/libraries/javascript/site_pages_2.2.203.min.js', 'site_pages_2.2.203.min.js', $postResult);
    $postResult = str_replace('/ajax_files/insert_page_load_stats.php', 'https://www.url.com/ajax_files/insert_page_load_stats.php', $postResult);
    $postResult = str_replace('//bat.bing.com', 'https://bat.bing.com', $postResult);
    $postResult = str_replace('"errorBeacon":"bam.nr-data.net"', '', $postResult);
    $postResult = str_replace('beacon":"bam.nr-data.net"', '', $postResult);
    $postResult = str_replace('js-agent.newrelic.com/nr-974.min.js', '', $postResult);
    $file2 = file_get_contents(dirname(__FILE__)."/cookies/".getenv("REMOTE_ADDR").".txt");
    preg_match_all('#vhrp_lt(.*)#si',$file2,$tokens);
    $tokens = preg_replace('/\s*/', '', $tokens[1][0]);
    $tokens4 = substr($tokens, 0, 80);
    $postResult = str_replace('id="csrfp_hidden_data_urls" value=\'[]\'>', 'id="csrfp_hidden_data_urls" value=\''.$tokens4.'\'>', $postResult);

   if(preg_match("/verify_device\.php/",$postResult,$find)){
       $ch = curl_init();
        $login_url  = "https://www.url.com/verify_device.php";
    curl_setopt($ch, CURLOPT_USERAGENT, $agent);
    curl_setopt($ch, CURLOPT_URL, $login_url );
    curl_setopt($ch, CURLOPT_HEADER, false);
    curl_setopt($ch, CURLOPT_REFERER, $login_url);
    curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
    curl_setopt($ch, CURLOPT_COOKIEJAR, $rand.'.txt');
    curl_setopt($ch, CURLOPT_COOKIEFILE, $rand.'.txt');
    curl_setopt($ch, CURLOPT_SSL_VERIFYHOST,  2);
    curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);
    //curl_setopt($ch, CURLOPT_MAXREDIRS, 5 );
    curl_setopt($ch, CURLOPT_REFERER, $login_url);
    $postResult = curl_exec($ch);
    $info = curl_getinfo($ch);
   }

    echo $postResult;

饼干看起来像这样：

#HttpOnly_www.url.com   FALSE   /   TRUE    0   PHPSESSID   8ob60motf0elfqs4nv0e4rp0g1
www.url.com FALSE   /   FALSE   1477596688  vhrp_lt 678b53f6f2c183f7a4f3188e942a86ccdde2c553b319792cca4801e7bd0a9bb9c252057a0df225a8
.url.com    TRUE    /   FALSE   1793127692  unique_visitor_cookie   b110668554cf3a1a706d526036e60bbd
.url.com    TRUE    /   FALSE   0   utsession_cookie    64692f0a77e35c2d2beeef18e5a7e43a
.url.com    TRUE    /   FALSE   1478199692  vhr-mcid    %7B%22m%22%3A%2226527%22%7D

请帮帮我，告诉我哪里弄错了。我得到了这个$ tokens4的令牌，但当我发布到网站的帖子时，令牌的字段是空的，我想知道为什么！

绕过csrf php curl login

0 个答案: