Member Avatar for hr.Ziggurat

Hi.
i'm trying to login to an asp login page via php and curl...
i wrote this code by google help. i expect see originale login page whith invalid username and password message , but i see only 'Object moved to here.' error.

<?php
$urlLogin = "http://xxxx/LoginPage.aspx";
$nameUsername='txtUsername';
$namePassword='txtPassword';
$valUsername ='ivalid_username'; 
$valPassword ='invalid_password';
$cookieFile = 'cookie.txt';
$regexViewstate = '/__VIEWSTATE\" value=\"(.*)\"/i';
$regexEventVal  = '/__EVENTVALIDATION\" value=\"(.*)\"/i';

function regexExtract($text, $regex, $regs, $nthValue)
{
    if (preg_match($regex, $text, $regs)) {
         $result = $regs[$nthValue];
    }
    else {
         $result = "";
    }
    return $result;
}

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $urlLogin);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE);
//curl_setopt($ch, CURLOPT_FOLLOWLOCATION, TRUE);
curl_setopt($ch, CURLOPT_UNRESTRICTED_AUTH, TRUE);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);
$data=curl_exec($ch);
$viewstate = regexExtract($data,$regexViewstate,$regs,1);
$eventval = regexExtract($data, $regexEventVal,$regs,1);

$postData = '__VIEWSTATE='.$viewstate.'&__EVENTVALIDATION='.$eventval.'&'.$nameUsername.'='.$valUsername.'&'.$namePassword.'='.$valPassword;
curl_setOpt($ch, CURLOPT_POST, TRUE);
curl_setopt($ch, CURLOPT_POSTFIELDS, $postData);
curl_setopt($ch, CURLOPT_URL, $urlLogin);   
curl_setopt($ch, CURLOPT_COOKIEJAR, $cookieFile);     
curl_setOpt($ch, CURLOPT_HTTPGET, FALSE);
$data = curl_exec($ch);
echo $data;

//curl_setOpt($ch, CURLOPT_POST, FALSE);
//curl_setopt($ch, CURLOPT_URL, $urlSecuredPage);   
//curl_setopt($ch, CURLOPT_COOKIEFILE, $cookieFile);     
//$data = curl_exec($ch);
//echo $data;

curl_close($ch);
?>

i think the problem cause is curl_setopt($ch, CURLOPT_FOLLOWLOCATION, TRUE); , i cant use it , because gives me this warning : 'Warning: curl_setopt() [function.curl-setopt]: CURLOPT_FOLLOWLOCATION cannot be activated when safe_mode is enabled or an open_basedir...'
please say me where is my mistake. thanks in advance for help.

  • 3 Contributors
  • 14 Replies
  • 2K Views
  • 4 Days Discussion Span
  • Latest Post Latest Post by hr.Ziggurat
Member Avatar for pritaeas

If safe_mode is enabled and you cannot disable it, then you might not get this to work. Fortunately, other people have had similar issues, so you can try this workaround.

Member Avatar for hr.Ziggurat

thanx pritaeas. i had seen edmondscommerce.co.uk before , and with that code warning message removed but output is only 'Object moved to here' , i'm confused really...
i test this :

<?php
$urlLogin = "http://xxxxxx/LoginPage.aspx?ReturnUrl=%2fdefault.aspx";
$regexViewstate = '/__VIEWSTATE\" value=\"(.*)\"/i';
$regexEventVal  = '/__EVENTVALIDATION\" value=\"(.*)\"/i';

function regexExtract($text, $regex, $regs, $nthValue)
{
if (preg_match($regex, $text, $regs)) {
 $result = $regs[$nthValue];
}
else {
 $result = "";
}
return $result;
}


$ch = curl_init();

curl_setopt($ch, CURLOPT_URL, $urlLogin);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE);
//curl_setopt($ch, CURLOPT_FOLLOWLOCATION, TRUE);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);
$data=curl_exec($ch);

$viewstate = regexExtract($data,$regexViewstate,$regs,1);
$eventval = regexExtract($data, $regexEventVal,$regs,1);
?>
<html>
<head><title>New Login Page</title></head><body>
    <form name="ctl00" method="post" action="<?php echo $urlLogin ?>" id="ctl00">

<div>

<input type="hidden" name="__VIEWSTATE" id="__VIEWSTATE" value="<?php echo $viewstate ?>" />

</div>



<div>



    <input type="hidden" name="__VIEWSTATEENCRYPTED" id="__VIEWSTATEENCRYPTED" value="" />

    <input type="hidden" name="__EVENTVALIDATION" id="__EVENTVALIDATION" value="<?php echo $eventval ?>" />

</div>

<table align="center" width="100%" ><tr><td align="center">
    <table width="300px" border="0" cellpadding="0" cellspacing="0">
    <tr>
        <td align="center">
            <table><tr><td>user:</td><td><input name="txtUsername" type="text" /></td></tr></table>
        </td>
    </tr>
    <tr>
        <td align="center">
            <table><tr><td>pass:</td><td><input name="txtPassword" type="password" /></td></tr></table>
        </td>
    </tr>
    <tr>
        <td align="center"><input type="submit" name="btnLogin" value="Login" id="btnLogin" class="enter_btn" /></td>
    </tr>
    </table>
</td></tr>
<tr><td align="center">--------------</td></tr>
</table>

</form>
</body></html>

its work correctly , but if username or password be invalid , original asp login page is shown with invalid username or password message , i want to do recognize invalid username and password in my page and show message there.

Edited by hr.Ziggurat because: I'm foolish!!!!!!!!!!!
Member Avatar for Sogo7

but if username or password be invalid , original asp login page is shown with invalid username or password message , i want to do recognize invalid username and password in my page and show message there.

Sounds like Phishing? or the beginnings of a Brute Force password cracker. If you do not know the username & Password pair is valid why try to login in with them?

Member Avatar for hr.Ziggurat

you misconceive what i said , i want show invalid username (or password) message in my login page.
one of the my friends asked me to do this work and originial web is her. he doesn't satisfy from current login page.
we can't access to db and web source. therefore , i think my alone way is using from cURL. please help me...

Member Avatar for hr.Ziggurat

No one knows anything?
Nobody cant help?

Member Avatar for pritaeas

Did you make changes to your code?

Member Avatar for hr.Ziggurat

yes , i used from your help , and write this code :

<?php
$urlLogin = "http://xxx/LoginPage.aspx?ReturnUrl=%2fdefault.aspx";
$nameUsername='txtUsername';
$namePassword='txtPassword';
$valUsername ='invaliduser'; 
$valPassword ='invalidpass';
$nameLoginBtn='btnLogin';
$valLoginBtn =''; 
$cookieFile = 'cookie.txt';
$regexViewstate = '/__VIEWSTATE\" value=\"(.*)\"/i';
$regexEventVal  = '/__EVENTVALIDATION\" value=\"(.*)\"/i';
function regexExtract($text, $regex, $regs, $nthValue)
{
    if (preg_match($regex, $text, $regs)) {
         $result = $regs[$nthValue];
    }
    else {
         $result = "";
    }
    return $result;
}


function curl($go){

//follow on location problems

if (ini_get('open_basedir') == '' && ini_get('safe_mode' == 'Off')){

curl_setopt ($go, CURLOPT_FOLLOWLOCATION, $l);

$syn = curl_exec($go);

}else{

$syn = curl_redir_exec($go);

}


return $syn;
}

//follow on location problems workaround

function curl_redir_exec($ch)

{

static $curl_loops = 0;

static $curl_max_loops = 20;

if ($curl_loops++ >= $curl_max_loops)

{

$curl_loops = 0;

return FALSE;

}

curl_setopt($ch, CURLOPT_HEADER, true);

curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);

$data = curl_exec($ch);

list($header, $data) = explode("\n\n", $data, 2);

$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);

if ($http_code == 301 || $http_code == 302)

{

$matches = array();

preg_match('/Location:(.*?)\n/', $header, $matches);

$url = @parse_url(trim(array_pop($matches)));

if (!$url)

{

//couldn't process the url to redirect to

$curl_loops = 0;

return $data;

}

$last_url = parse_url(curl_getinfo($ch, CURLINFO_EFFECTIVE_URL));

if (!$url['scheme'])

$url['scheme'] = $last_url['scheme'];

if (!$url['host'])

$url['host'] = $last_url['host'];

if (!$url['path'])

$url['path'] = $last_url['path'];

$new_url = $url['scheme'] . '://' . $url['host'] . $url['path'] . ($url['query']?'?'.$url['query']:'');

curl_setopt($ch, CURLOPT_URL, $new_url);

return curl_redir_exec($ch);

} else {

$curl_loops=0;

return $data;

}

}



$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $urlLogin);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE);
//curl_setopt($ch, CURLOPT_FOLLOWLOCATION, TRUE);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);
$data=curl($ch);
$viewstate = regexExtract($data,$regexViewstate,$regs,1);
$eventval = regexExtract($data, $regexEventVal,$regs,1);
$postData = '__VIEWSTATE='.$viewstate.'&__EVENTVALIDATION='.$eventval.'&'.$nameUsername.'='.$valUsername.'&'.$namePassword.'='.$valPassword.'&'.$nameLoginBtn.'='.$valLoginBtn;
echo $postData;
curl_setOpt($ch, CURLOPT_POST, TRUE);
curl_setopt($ch, CURLOPT_POSTFIELDS, $postData);
curl_setopt($ch, CURLOPT_URL, $urlLogin);   
curl_setopt($ch, CURLOPT_COOKIEJAR, $cookieFile);     
$data = curl_exec($ch);
echo $data;
//curl_setOpt($ch, CURLOPT_POST, FALSE);
//curl_setopt($ch, CURLOPT_URL, $urlSecuredPage);   
//curl_setopt($ch, CURLOPT_COOKIEFILE, $cookieFile);     
//$data = curl_exec($ch);
//echo $data;
curl_close($ch);
?>

Still does not work and gives 'Object moved to here' error. see it :
my page

Edited by hr.Ziggurat
Member Avatar for pritaeas

You are not using the new function.

Member Avatar for hr.Ziggurat

no , i used new function @ line 133.

Member Avatar for pritaeas

Line 142 threw me off. Did you debug? Where does it go wrong?

Member Avatar for hr.Ziggurat

thank you guy for your help. i thought that one time using from 'curl function' is enough. i used from curl_exec instead curl @ line 142 and 'object moved...' message was removed finally.
but there is a new problem , a asp error : 'Description: An application error occurred on the server. The current custom error settings for this application prevent the details of the application error from being viewed remotely (for security reasons)...'
how can i solve it without access to 'Web.Config'?

Member Avatar for hr.Ziggurat

pritaeas => your advices really helped me, please guide me in my new problem...
im waiting for u!

Member Avatar for pritaeas

The error is happening on the site you are trying to open. There is no way to get detailed information, if you do not have access to it. I think your only option is to contact the site owners, and ask them for assistence.

Member Avatar for hr.Ziggurat

Thanks a lot my friend. i will do what you said.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.