|
|
Posted by Gordon Burditt on 12/17/06 20:46
>I wrote a script which reads a formular from a forum loginpage. It
>automatically fills in my credentials an logs me in when I hit submit.
>I have secured the path to the script with a .htaccess file.
>I have now a problem with one site which generates some kind of
>checkcode. The checkcode is placed in a hidden input field.
>I read the remote page with the "file(url)" command an parse it with
>PHP to a new formular with my credentials.
Presumably this is done to stop you from doing automatic logins,
or session stealing by sniffing traffic.
>When the server gets the formular with the file-command he gets a
>different checkcode as if I surf to the remote site with my browser.
If the server fetches the page, parses out the code, and sends it
back, it should be the correct code, unless there's javascript or
something on the page to compute a code.
>The checkcode looks like a md5-Hash an probably takes the ip to confirm
>the sender.
The hash MIGHT be a md5 Hash of a secret string, your IP address,
and some other stuff (like your browser ID string, session ID,
random numbers generated and saved server-side or whatever). You
probably can't reverse-engineer this without knowing the secret
string and other details about how it is computed.
Unless you set up a proxy, you can't easily fake what IP your
connection is coming from. If your intent is for the server to
submit the login page and your browser to submit subsequent pages
directly, it won't work if it's doing a simple IP check.
>Is ist possible for PHP to take my client-ip an sent it to the
>remote-server so I get an approveable checkcode when sending the
>generated formular?
Fetch the page, parse out the code, and return it. Then proxy all
subsequent requests.
Navigation:
[Reply to this message]
|