0

Hi.
i'm trying to login to an asp login page via php and curl...
i wrote this code by google help. i expect see originale login page whith invalid username and password message , but i see only 'Object moved to here.' error.

<?php
$urlLogin = "http://xxxx/LoginPage.aspx";
$nameUsername='txtUsername';
$namePassword='txtPassword';
$valUsername ='ivalid_username'; 
$valPassword ='invalid_password';
$cookieFile = 'cookie.txt';
$regexViewstate = '/__VIEWSTATE\" value=\"(.*)\"/i';
$regexEventVal  = '/__EVENTVALIDATION\" value=\"(.*)\"/i';

function regexExtract($text, $regex, $regs, $nthValue)
{
    if (preg_match($regex, $text, $regs)) {
         $result = $regs[$nthValue];
    }
    else {
         $result = "";
    }
    return $result;
}

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $urlLogin);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE);
//curl_setopt($ch, CURLOPT_FOLLOWLOCATION, TRUE);
curl_setopt($ch, CURLOPT_UNRESTRICTED_AUTH, TRUE);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);
$data=curl_exec($ch);
$viewstate = regexExtract($data,$regexViewstate,$regs,1);
$eventval = regexExtract($data, $regexEventVal,$regs,1);

$postData = '__VIEWSTATE='.$viewstate.'&__EVENTVALIDATION='.$eventval.'&'.$nameUsername.'='.$valUsername.'&'.$namePassword.'='.$valPassword;
curl_setOpt($ch, CURLOPT_POST, TRUE);
curl_setopt($ch, CURLOPT_POSTFIELDS, $postData);
curl_setopt($ch, CURLOPT_URL, $urlLogin);   
curl_setopt($ch, CURLOPT_COOKIEJAR, $cookieFile);     
curl_setOpt($ch, CURLOPT_HTTPGET, FALSE);
$data = curl_exec($ch);
echo $data;

//curl_setOpt($ch, CURLOPT_POST, FALSE);
//curl_setopt($ch, CURLOPT_URL, $urlSecuredPage);   
//curl_setopt($ch, CURLOPT_COOKIEFILE, $cookieFile);     
//$data = curl_exec($ch);
//echo $data;

curl_close($ch);
?>

i think the problem cause is curl_setopt($ch, CURLOPT_FOLLOWLOCATION, TRUE); , i cant use it , because gives me this warning : 'Warning: curl_setopt() [function.curl-setopt]: CURLOPT_FOLLOWLOCATION cannot be activated when safe_mode is enabled or an open_basedir...'
please say me where is my mistake. thanks in advance for help.

3
Contributors
14
Replies
17
Views
5 Years
Discussion Span
Last Post by hr.Ziggurat
0

thanx pritaeas. i had seen edmondscommerce.co.uk before , and with that code warning message removed but output is only 'Object moved to here' , i'm confused really...
i test this :

<?php
$urlLogin = "http://xxxxxx/LoginPage.aspx?ReturnUrl=%2fdefault.aspx";
$regexViewstate = '/__VIEWSTATE\" value=\"(.*)\"/i';
$regexEventVal  = '/__EVENTVALIDATION\" value=\"(.*)\"/i';

function regexExtract($text, $regex, $regs, $nthValue)
{
if (preg_match($regex, $text, $regs)) {
 $result = $regs[$nthValue];
}
else {
 $result = "";
}
return $result;
}


$ch = curl_init();

curl_setopt($ch, CURLOPT_URL, $urlLogin);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE);
//curl_setopt($ch, CURLOPT_FOLLOWLOCATION, TRUE);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);
$data=curl_exec($ch);

$viewstate = regexExtract($data,$regexViewstate,$regs,1);
$eventval = regexExtract($data, $regexEventVal,$regs,1);
?>
<html>
<head><title>New Login Page</title></head><body>
    <form name="ctl00" method="post" action="<?php echo $urlLogin ?>" id="ctl00">

<div>

<input type="hidden" name="__VIEWSTATE" id="__VIEWSTATE" value="<?php echo $viewstate ?>" />

</div>



<div>



    <input type="hidden" name="__VIEWSTATEENCRYPTED" id="__VIEWSTATEENCRYPTED" value="" />

    <input type="hidden" name="__EVENTVALIDATION" id="__EVENTVALIDATION" value="<?php echo $eventval ?>" />

</div>

<table align="center" width="100%" ><tr><td align="center">
    <table width="300px" border="0" cellpadding="0" cellspacing="0">
    <tr>
        <td align="center">
            <table><tr><td>user:</td><td><input name="txtUsername" type="text" /></td></tr></table>
        </td>
    </tr>
    <tr>
        <td align="center">
            <table><tr><td>pass:</td><td><input name="txtPassword" type="password" /></td></tr></table>
        </td>
    </tr>
    <tr>
        <td align="center"><input type="submit" name="btnLogin" value="Login" id="btnLogin" class="enter_btn" /></td>
    </tr>
    </table>
</td></tr>
<tr><td align="center">--------------</td></tr>
</table>

</form>
</body></html>

its work correctly , but if username or password be invalid , original asp login page is shown with invalid username or password message , i want to do recognize invalid username and password in my page and show message there.

Edited by hr.Ziggurat: I'm foolish!!!!!!!!!!!

0

but if username or password be invalid , original asp login page is shown with invalid username or password message , i want to do recognize invalid username and password in my page and show message there.

Sounds like Phishing? or the beginnings of a Brute Force password cracker. If you do not know the username & Password pair is valid why try to login in with them?

0

you misconceive what i said , i want show invalid username (or password) message in my login page.
one of the my friends asked me to do this work and originial web is her. he doesn't satisfy from current login page.
we can't access to db and web source. therefore , i think my alone way is using from cURL. please help me...

0

yes , i used from your help , and write this code :

<?php
$urlLogin = "http://xxx/LoginPage.aspx?ReturnUrl=%2fdefault.aspx";
$nameUsername='txtUsername';
$namePassword='txtPassword';
$valUsername ='invaliduser'; 
$valPassword ='invalidpass';
$nameLoginBtn='btnLogin';
$valLoginBtn =''; 
$cookieFile = 'cookie.txt';
$regexViewstate = '/__VIEWSTATE\" value=\"(.*)\"/i';
$regexEventVal  = '/__EVENTVALIDATION\" value=\"(.*)\"/i';
function regexExtract($text, $regex, $regs, $nthValue)
{
    if (preg_match($regex, $text, $regs)) {
         $result = $regs[$nthValue];
    }
    else {
         $result = "";
    }
    return $result;
}


function curl($go){

//follow on location problems

if (ini_get('open_basedir') == '' && ini_get('safe_mode' == 'Off')){

curl_setopt ($go, CURLOPT_FOLLOWLOCATION, $l);

$syn = curl_exec($go);

}else{

$syn = curl_redir_exec($go);

}


return $syn;
}

//follow on location problems workaround

function curl_redir_exec($ch)

{

static $curl_loops = 0;

static $curl_max_loops = 20;

if ($curl_loops++ >= $curl_max_loops)

{

$curl_loops = 0;

return FALSE;

}

curl_setopt($ch, CURLOPT_HEADER, true);

curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);

$data = curl_exec($ch);

list($header, $data) = explode("\n\n", $data, 2);

$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);

if ($http_code == 301 || $http_code == 302)

{

$matches = array();

preg_match('/Location:(.*?)\n/', $header, $matches);

$url = @parse_url(trim(array_pop($matches)));

if (!$url)

{

//couldn't process the url to redirect to

$curl_loops = 0;

return $data;

}

$last_url = parse_url(curl_getinfo($ch, CURLINFO_EFFECTIVE_URL));

if (!$url['scheme'])

$url['scheme'] = $last_url['scheme'];

if (!$url['host'])

$url['host'] = $last_url['host'];

if (!$url['path'])

$url['path'] = $last_url['path'];

$new_url = $url['scheme'] . '://' . $url['host'] . $url['path'] . ($url['query']?'?'.$url['query']:'');

curl_setopt($ch, CURLOPT_URL, $new_url);

return curl_redir_exec($ch);

} else {

$curl_loops=0;

return $data;

}

}



$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $urlLogin);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE);
//curl_setopt($ch, CURLOPT_FOLLOWLOCATION, TRUE);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);
$data=curl($ch);
$viewstate = regexExtract($data,$regexViewstate,$regs,1);
$eventval = regexExtract($data, $regexEventVal,$regs,1);
$postData = '__VIEWSTATE='.$viewstate.'&__EVENTVALIDATION='.$eventval.'&'.$nameUsername.'='.$valUsername.'&'.$namePassword.'='.$valPassword.'&'.$nameLoginBtn.'='.$valLoginBtn;
echo $postData;
curl_setOpt($ch, CURLOPT_POST, TRUE);
curl_setopt($ch, CURLOPT_POSTFIELDS, $postData);
curl_setopt($ch, CURLOPT_URL, $urlLogin);   
curl_setopt($ch, CURLOPT_COOKIEJAR, $cookieFile);     
$data = curl_exec($ch);
echo $data;
//curl_setOpt($ch, CURLOPT_POST, FALSE);
//curl_setopt($ch, CURLOPT_URL, $urlSecuredPage);   
//curl_setopt($ch, CURLOPT_COOKIEFILE, $cookieFile);     
//$data = curl_exec($ch);
//echo $data;
curl_close($ch);
?>

Still does not work and gives 'Object moved to here' error. see it :
my page

Edited by hr.Ziggurat

0

thank you guy for your help. i thought that one time using from 'curl function' is enough. i used from curl_exec instead curl @ line 142 and 'object moved...' message was removed finally.
but there is a new problem , a asp error : 'Description: An application error occurred on the server. The current custom error settings for this application prevent the details of the application error from being viewed remotely (for security reasons)...'
how can i solve it without access to 'Web.Config'?

0

pritaeas => your advices really helped me, please guide me in my new problem...
im waiting for u!

0

The error is happening on the site you are trying to open. There is no way to get detailed information, if you do not have access to it. I think your only option is to contact the site owners, and ask them for assistence.

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.