执行JS服务器站点为xhr生成散列 [英] Execute JS server-site to generate hash for xhr

查看:132
本文介绍了执行JS服务器站点为xhr生成散列的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述


登入&密码输入具有混淆名称属性:

 < input id =login-usernamename =r0pUsRqARuvalue =
 type =textclass =form-controlplaceholder =Login>

根据这些输入(包括登录名和密码值)和隐藏的char输入字段,散列值为通过js功能生成客户端( md5.js )。 

  $(#btn-login)。click(function(){
 var ser = $( #loginform).serialize(); 
 $ .post(/ post.php,ser +& hash =+ md5(ser),function(){
 location.replace( /logged.php);}); 
});

表单被序列化并以POST xhr(ajax)的形式发送到 post.php 登录(请参阅上面的代码)。



我想写 php脚本自动登录表单



在获取服务器上的表单,获取名称属性,粘贴登录名/密码值以及通过POST xhr请求 /post.php 与序列化的字符串。 

  cV2sD3JzH2 = login& 3JX2zJ7QlC = password& char =%C2%AA& hash = ... 
 然而,由于散列是由js (由md5.js)生成的客户端,所以  strong>我无法通过php生成哈希服务器端 ...什么是出路?
 
 
 
有些想法:
     
     
  1.  md5.js 转换为服务器端脚本并执行它以产生散列。如何?
    2.  
     
  2. 使用AngularJS(或服务器上的类似JS框架)在服务器上运行md5.js以产生散列。   
    3.         b $ b 
    对不起,我常常以为我可以获取混淆的名称属性值和 char 输入值服务器端。然而,正如 RamRaider 所提到的,没有启用javascript,它们被命名为* email *和* password * ,并且没有隐藏 char 当javascript被禁用时,输入在html中。 
    因此,当使用php cUrl(无js服务器端)获取内容时,我有一个干净的表单,没有隐藏的 char 输入和未混淆的名称值,请参阅下面(删除样式): 
     
     
     < form id =loginformmethod =postaction =/ post.php > 
    < input id =login-usernametype =textname =emailvalue => 
    < input id =login-passwordtype =passwordname =password> 
    < a id =btn-loginhref =#class =btn btn-success>登入< / a> 
    < / form> 
          
     同样的JS技巧在服务器端无效。我该如何解决这个问题? 
     
     
     
    我正在为JS插入新的属性值进行筛选,但徒劳无功。它应该是smth。如下所示:
      $('login-form')。attr('name',< new value>); 
          
     
     
    解决方案 
     > md5.js 这里使用的是来自或来自文档的地方。因此,您可以使用以下选项: 
     
     
       
       
    1. 您可以测试它是否会产生与PHP的MD5函数相同的结果不同的投入。 
      2.  
       
    2. 您可以尝试查找该md5.js的作者并询问他们。 
      3.  
       
    3. 您可以将它移植到PHP(它只是数学),并确保您使用相同的算法。
       
    4. 您可以研究两者的来源以确定您是否可以推断它是否实现了完全相同的算法。
       
    我建议您从第一个选项开始,因为这是最简单的方法就是立即判断它们是否可能是相同的算法。
     
    There is a scrapebot-proof form. 
The login & password inputs have the obfuscated name attribute: 
    <input id="login-username" name="r0pUsRqARu" value=""
 type="text" class="form-control" placeholder="Login">

    Based on those inputs (incl. login and password values) and hidden char input field the hash value is generated client-side by js functionality (md5.js).  
    $("#btn-login").click(function(){
     var ser = $( "#loginform" ).serialize();  
     $.post("/post.php",ser+"&hash="+md5(ser),function(){
         location.replace("/logged.php");});
     });

    The form is serialized and is sent as POST xhr (ajax) to post.php for logging in (see the code above). 
    


    I want to write php script to automatically log in through the form. 
    


    No problem with getting the form on server, fetching name attributes, pasting login/password values and requesting by POST xhr to /post.php with serialized string.  
    cV2sD3JzH2=login&3JX2zJ7QlC=password&char=%C2%AA&hash=...

    Yet, since the hash is generated client-side by js (by md5.js), I can't generate hash server side by php... What's the way out?
    


    Some thoughts:
      

    1. Transform md5.js into a server-side script and execute it to produce hash. How?
      2. 

    2. Use AngularJS (or similar JS framework on server) to run md5.js on server to produce hash. Disclaimer: I'm not familiar with AngularJS.  
      3. 

    


    Update
    


    Sorry, I've presumsiously thought I could fetch the obfuscated name attribute values and char input value server-side. Yet, as RamRaider mentioned, without javascript enabled they are named *email* and *password* and no hidden char input is in the html when javascript is disabled.
So, when fetching content with php cUrl (no js server-side), I have a clean form without hidden char input and unobfuscated name values, see it below (removed styling): 
    <form id="loginform" method="post" action="/post.php">
  <input id="login-username" type="text"  name="email" value="" >                   
  <input id="login-password" type="password" name="password" >
  <a id="btn-login" href="#" class="btn btn-success">Login  </a>
</form>

    Again JS tricks that are not avail at server-side. How can I fix it? 
    


    I was seraching for JS inserting somewhere new attribute values, but in vain. It should be smth. like the following:
    $('login-form').attr('name', <new value>); 

    

     解决方案 
    It is not obvious where the md5.js that's being used there comes from or where the doc is for it. As such, you have these options:
      

    1. You can test it to see if it generates the same results as PHP's MD5 function on a bunch of different inputs. 
      2. 

    2. You can attempt to find the author of that md5.js and ask them. 
      3. 

    3. You can just port it to PHP (it's just math) and be sure you have the same algorithm.
      4. 

    4. You can study the source of both implementations to see if you can conclude whether it's implementing the exact same algorithm.
      5. 

    I'd suggest you start with the first option since that's the easiest way to immediately tell whether they might be the same algorithm or not.
    

                        
    这篇关于执行JS服务器站点为xhr生成散列的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
    
                        
                    
    
                    
    
                        查看全文
相关文章
PHP最新文章
热门教程
热门工具
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆