尝试通过VBA WinHttpReq重现通过标准Web浏览器完成的登录时出现的问题

时间:2019-01-16 04:28:02

标签: excel vba winhttp

我正在尝试通过公司内部网中的Excel自动执行文件下载。为此,我首先需要进行身份验证,并且这是卡住的时间。

我已经“嗅探”了通过普通的Web浏览器来回移动的httpheader。当我尝试通过VBA脚本模仿它们时,重定向到登录脚本不起作用。 这是我编写的代码:

Sub main()

Dim WinHttpReq As Object
Dim url1, url2, Server_Cookie As String

Set WinHttpReq = CreateObject("MSXML2.ServerXMLHTTP")

url1 = "https://www.e-access.pepe.com/empsvcs/hrpinmgt/pagLogin/?sysName=MgmtSysCtr&retURL=http://greenday.homer.pepe.com:80/gbsoms/process_csp.htm"

WinHttpReq.Open "GET", url1, False
WinHttpReq.SetRequestHeader "Referer", "http://greenday.homer.pepe.com/gbsoms/login.htm"
WinHttpReq.Send

headers = WinHttpReq.GetAllResponseHeaders
Debug.Print headers

Server_Cookie = Split(WinHttpReq.GetResponseHeader("Set-Cookie"), ";")(0)

url2 = "https://www.e-access.pepe.com/isam/sps/oidc/rp/pepe-RP/kickoff/pepe-Password?Target=https%3A%2F%2Fwww.e-access.pepe.com%2Fempsvcs%2Fhrpinmgt%2FpagLogin%2F%3FsysName%3DMgmtSysCtr%26retURL%3Dhttp%3A%2F%2Fgreenday.homer.pepe.com%3A80%2Fgbsoms%2Fprocess_csp.htm"

WinHttpReq.Open "GET", url2, False
WinHttpReq.SetRequestHeader "Referer", "https://www.e-access.pepe.com/empsvcs/hrpinmgt/pagLogin/?sysName=MgmtSysCtr&retURL=http://greenday.homer.pepe.com:80/gbsoms/process_csp.htm"
WinHttpReq.SetRequestHeader "Cookie", Server_Cookie
WinHttpReq.Send

headers = WinHttpReq.GetAllResponseHeaders

Debug.Print headers

End Sub

这是运行我的脚本后网络服务器发送的httpheader流量:

Cache-Control: no-store
Date: Wed, 16 Jan 2019 03:19:07 GMT
Pragma: no-cache
Content-Length: 1184
Content-Type: text/html
P3P: CP="NON CUR OTPi OUR NOR UNI"
Set-Cookie: PD-S-SESSION-     ID=1_2_0_Ftf7yAF0HjLCwkfUdY1ZeTuSylBmpcg84UxEblnciDGjrMou; Path=/; Secure; HttpOnly
x-frame-options: DENY
x-content-type-options: nosniff
x-xss-protection: 1
content-security-policy: frame-ancestors 'none'
strict-transport-security: 
-------------------------------
Cache-Control: no-store
Date: Wed, 16 Jan 2019 03:17:57 GMT
Pragma: no-cache
Content-Length: 1184
Cache-Control: no-store
Date: Wed, 16 Jan 2019 03:18:14 GMT
Pragma: no-cache
Content-Length: 1184
Content-Type: text/html
P3P: CP="NON CUR OTPi OUR NOR UNI"
Set-Cookie: PD-S-SESSION-ID=1_2_0_H1MYEqDa94y- 5zBHcx1ci5KutKZDmimrpBLkNKHpmA558crE; Path=/; Secure; HttpOnly
x-frame-options: DENY
x-content-type-options: nosniff
x-xss-protection: 1
content-security-policy: frame-ancestors 'none'
strict-transport-security:

“未收到位置字段”:(

这些是使用真正的Web浏览器时的httpheader:

https://www.e-access.pepe.com/empsvcs/hrpinmgt/pagLogin /?sysName=MgmtSysCtr&retURL=http://greenday.homer.pepe.com:80/gbsoms/process_csp.htm
Host: www.e-access.pepe.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:56.0)  Gecko/20100101 Firefox/56.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: http://greenday.homer.pepe.com/gbsoms/login.htm

### here comes a Javascript who redirect the web-browser
### and makes the next line appears a NS_BINDING_ABORTED

NS_BINDING_ABORTED
content-length: 1184
content-type: text/html
date: Tue, 15 Jan 2019 23:57:04 GMT
p3p: CP="NON CUR OTPi OUR NOR UNI"
x-content-type-options: nosniff
cache-control: no-store
x-xss-protection: 1
strict-transport-security: 
pragma: no-cache
Set-Cookie: PD-S-SESSION-   ID=1_2_0_ejSNPGTvnBqcABWph+jKXkP4q7qetjPCxApl9fYwO7zQ9RQg; Path=/; Secure; HttpOnly
-------------------
https://www.e-access.pepe.com/isam/sps/oidc/rp/PEPE-RP/kickoff/PEPE- Password?Target=https%3A%2F%2Fwww.e-access.pepe.com%2Fempsvcs%2Fhrpinmgt%2FpagLogin%2F%3FsysName%3DMgmtSysCtr%26retURL%3Dhttp%3A%2F%2Fgreenday.homer.pepe.com%3A80%2Fgbsoms%2Fprocess_csp.htm
Host: www.e-access.pepe.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:56.0)  Gecko/20100101 Firefox/56.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://www.e-access.pepe.com/empsvcs/hrpinmgt/pagLogin/?sysName=MgmtSysCtr&retURL=http://greenday.homer.pepe.com:80/gbsoms/process_csp.htm
Cookie: PD-S-SESSION- ID=1_2_0_ejSNPGTvnBqcABWph+jKXkP4q7qetjPCxApl9fYwO7zQ9RQg

GET: HTTP/1.1 302 Found <<---- 302 is a the code after a redirect. I've never been able to reproduce this :(
content-language: en-US
date: Tue, 15 Jan 2019 23:57:05 GMT

location: https://oidc.idp.elogin.pepe.com/mga/sps/oauth/oauth20/authorize?nonce=POEPJ6247G&redirect_uri=https%3A%2F%2Fwww.e-access.pepe.com%2Fisam%2Fsps%2Foidc%2Frp%2FPEPE-RP%2Fredirect%2FPEPE-Password&response_mode=form_post&scope=openid&Target=https%3A%2F%2Fwww.e-access.pepe.com%2Fempsvcs%2Fhrpinmgt%2FpagLogin%2F%3FsysName%3DMgmtSysCtr%26retURL%3Dhttp%3A%2F%2Fgreenday.homer.pepe.com%3A80%2Fgbsoms%2Fprocess_csp.htm&response_type=id_token&state=HbmqyJZroF&client_id=Password-PEPE

p3p: CP="NON CUR OTPi OUR NOR UNI"
transfer-encoding: chunked
cache-control: no-cache="set-cookie, set-cookie2"
expires: Thu, 01 Dec 1994 16:00:00 GMT
strict-transport-security: 
Set-Cookie: AMWEBJCT!%2Fisam!JSESSIONID=0000t_S44DVXblXH_8CLCTr3Rzf:e8d2a634-c9e1-4349-a13d-11494e6a414c; Path=/; HttpOnly
PD_STATEFUL_97209400-5e43-11e8-bd34-00505699647e=%2Fisam; Path=/
PD-S-SESSION-ID=1_2_0_ejSNPGTvnBqcABWph+jKXkP4q7qetjPCxApl9fYwO7zQ9RQg; Path=/; Secure; HttpOnly

上面可以看到当真正的网络浏览器发送请求时发送的“位置”字段...:(

收到的JavaSript将重定向到另一个身份验证站点:

<html>
  <head>
    <title>PEPE Login Redirect</title>
    <script type="text/javascript">
    // Check to see what hostname is used to login to appliance - use the right config based on it
    var hname = window.location.hostname.toLowerCase();
    var dcsuffix = '';
    if (hname.indexOf("aldc") == 0 || hname.indexOf("ffdc") == 0)
    {
        dcsuffix = "DC";
    }
    else if (hname.indexOf("wwwagt") == 0 || hname.indexOf("wwwfft") == 0)
    {
        dcsuffix = "TMP";
    }
    var purl = window.location.href;
    var turl = encodeURIComponent(purl);
    if ("" == "2")
    {
        window.location = "/isam/sps/oidc/rp/PEPE-RP"+dcsuffix+"/kickoff/PEPE-PwdPlus"+dcsuffix+"?Target="+turl;
    }
    else if ("" == "3")
    {
        window.location = "/isam/sps/oidc/rp/PEPE-RP"+dcsuffix+"/kickoff /PEPE-Token"+dcsuffix+"?Target="+turl;
    }
    else if ("" == "4")
    {
        window.location = "/isam/sps/oidc/rp/PEPE-RP"+dcsuffix+"/kickoff/PEPE-Opus"+dcsuffix+"?Target="+turl;
    }
    else
    {
        window.location = "/isam/sps/oidc/rp/PEPE-RP"+dcsuffix+"/kickoff/PEPE-Password"+dcsuffix+"?Target="+turl;
     }
    </script>
  </head>
  <body>
    <form></form>
  </body>
</html>

按照上面显示的httpheaders,代码由最后一个“ else”选项退出,所有变量都为空白,但“ turl”(URI编码):

/ isam / sps / oidc / rp / PEPE-RP / kickoff / PEPE-Password“?Target = https%3A%2F%2Fwww.e-access.pepe.com%2Fempsvcs%2Fhrpinmgt%2FpagLogin%2F%3FsysName %3DMgmtSysCtr%26retURL%3Dhttp%3A%2F%2Fgreenday.homer.pepe.com%3A80%2Fgbsoms%2Fprocess_csp.htm 主持人:www.e-access.pepe.com

最重要的是,我无法从网络服务器获取“位置”字段,该字段将我重定向到下一个URL。显然,此位置的密钥每次都会更改,这就是为什么需要捕获它的原因……

很抱歉,长话短说,但我尝试尽可能清楚。任何能够放光的大师都将受到高度赞赏:) 谢谢。

0 个答案:

没有答案
相关问题
最新问题