cURL CSRF令牌 [英] cURL CSRF Token
问题描述
我几个月前,我的同事通过获取工作日程表创建了日历订阅。我相信他已经通过cURL这样做了。
I few months ago, my colleague created an calendar subscription by getting the work schedule. I believe he has done this by cURL.
现在我正在建立一个网站来概述今天应该完成的任务。
Now I'm building a website to have an overview about the tasks that should be done today.
我想检索计划,以便我可以使用它来显示正在特定日期工作的人的姓名。
I want to retrieve the schedule so I can use it to display the name of the people that are working a specific day.
我在网上找到了一个教程,解释了如何在登录后获取数据。
我做的是我复制了登录表单中的输入字段的名称和名为 signin [_csrf_token] 的隐藏字段的名称
I found a tutorial on the web that explains how I can get de data after a login. what I did is that I copied the name of the input fields in the login form, and the name of a hidden field named signin[_csrf_token]
这些名称,我创建了以下代码:
with those names, I created the following code:
<?php
$username = "myusername";
$password = "mypassword";
$url = "http://planner.a-mac.nl/employeeSchedule";
$cookie= "koekje.txt";
$token = "2e4c16f2b664f3ed01827dd38dc11d22";
$ch = curl_init();
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_COOKIEJAR, '/tmp/'.$cookie);
curl_setopt($ch, CURLOPT_COOKIEFILE, '/tmp/'.$cookie);
curl_setopt($ch, CURLOPT_POSTFIELDS, "signin[username]=" . $username ."&signin[password]=" . $password . "&signin[_csrf_token]=" . $token);
//stuur de gegevens uit het formulier door naar de link
curl_exec($ch);
//Zet de output op het scherm
if (curl_errno($ch))
{
print curl_error($ch);
//Als er een fout is geef deze dan
}
else
{
curl_close($ch);
//Sluit de link met de website
}
?>
当我使用上面的代码加载页面时,我得到的登录表单带有错误信息: / p>
When I load my page with the above code, I get the login form with the error message:
检测到CSRF攻击
CSRF Attack Detected
我如何解决这个问题,所以我可以从网站得到什么数据?
Could someone help me how to solve this problem so I can what data I got from the website?
我联系了我的老同事,但他说他不知道了。 ..
I contacted my old colleague, but he says "he doesn't know anymore"...
推荐答案
CSRF令牌字段值不是固定的,而是新创建的会话的随机生成的值。您需要首先对网页进行干净调用,以获取CSRF令牌值,之后才能与CSRF令牌一起POST用户名/密码,如:
The CSRF token field value is not fixed but is a randomly generated value for newly created sessions. You need a "clean" call to the webpage first to obtain a CSRF token value, only after that you can POST the username/password together with the CSRF token, as in:
<?php
$username = "myusername";
$password = "mypassword";
$url = "http://planner.a-mac.nl/employeeSchedule";
$cookie= "koekje.txt";
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_COOKIEJAR, '/tmp/'.$cookie);
curl_setopt($ch, CURLOPT_COOKIEFILE, '/tmp/'.$cookie);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$response = curl_exec($ch);
if (curl_errno($ch)) die(curl_error($ch));
$doc = new DOMDocument();
$doc->loadHTML($response);
$token = $doc->getElementById("signin__csrf_token")->attributes->getNamedItem("value")->value;
curl_setopt($ch, CURLOPT_RETURNTRANSFER, false);
curl_setopt($ch, CURLOPT_POST, true);
$params = array(
'signin[username]' => $username,
'signin[password]' => $password,
'signin[_csrf_token]' => $token
);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($params));
curl_exec($ch);
if (curl_errno($ch)) print curl_error($ch);
curl_close($ch);
?>
这篇关于cURL CSRF令牌的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!