403 - ошибка CSRF при попытке войти на сайт с помощью curl - PullRequest
Новая
       28

403 - ошибка CSRF при попытке войти на сайт с помощью curl

0 голосов
/ 23 октября 2019

Я пытаюсь зайти на сайт, чтобы получить логи. Я получаю 403 - Ошибка токена CSRF.

Я пробовал много комбинаций в скрипте curl, но, похоже, ничего не работает. 

<?php
$username = "USERNAME";
$password = "PASSWORD";
$url = "https URL";
$cookie= "/home/myfolder/cookies.txt";
$ua = 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705; .NET CLR 1.1.4322)';

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_COOKIEJAR, $cookie);
curl_setopt($ch, CURLOPT_COOKIEFILE, $cookie);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_USERAGENT, $ua);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);

$response = curl_exec($ch);
if (curl_errno($ch)) die(curl_error($ch));

$token=exec("cat cookies.txt | grep 'csrftoken' |  sed 's/[[:space:]]//g' |  sed -e 's/csrftoken/^/g' |  cut -d '^' -f2");
echo "token ".$token;
file_put_contents('/home/myfolder/login_result.txt', $response);


$postinfo = "user=".$username."&pass=".$password."&CSRF_TOKEN=".$token;
curl_setopt($ch, CURLOPT_RETURNTRANSFER, false);
curl_setopt($ch, CURLOPT_USERAGENT, $ua);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_COOKIEJAR, $cookie);
curl_setopt($ch, CURLOPT_COOKIEFILE, $cookie);
curl_setopt($ch, CURLOPT_POSTFIELDS, $postinfo);
$html = curl_exec($ch);
    file_put_contents('/home/myfolder/login_result.txt', $html);
if (curl_errno($ch)) print curl_error($ch);

    curl_close($ch);

Я также пытался запустить некоторые команды curl из unix,Я получаю сообщение об ошибке блокировки XSS 

-sh-4.1$ curl -k -v "httpds URL" -H "X-CSRFToken:uJipeKYyW3VMNbhocSzDE8xzv1p0t0cW" -b "csrftoken=uJipeKYyW3VMNbhocSzDE8xzv1p0t0cW" -d "username=USERNAME&password=PASSWORD"
OUTPUT:
* About to connect() to proxy proxy.intra.site.com port 8080 (#0)
*   Trying 190.149.91.7... connected
* Connected to proxy.intra.bt.com (190.149.91.7) port 8080 (#0)
* Establish HTTP proxy tunnel to HTTPS_SITE
> CONNECT HTTPS_SITE HTTP/1.1
> Host: HTTPS_SITE
> User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.27.1 zlib/1.2.3 libidn/1.18 libssh2/1.4.2
> Proxy-Connection: Keep-Alive
> X-CSRFToken: uJipeKYyW3VMNbhocSzDE8xzv1p0t0cW
>
< HTTP/1.1 200 Connection established
<
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0* Proxy replied OK to CONNECT request
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* warning: ignoring value of ssl.verifyhost
* skipping SSL peer certificate verification
* SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate:
*       subject: CN=HTTPS_SITE,OU=ABC,O=ABCD,L=London,ST=London,C=GB
*       start date: Feb 06 00:00:00 2018 GMT
*       expire date: Feb 06 23:59:59 2020 GMT
*       common name: HTTPS_SITE
*       issuer: CN=ABC Secure Server CA - G4,O=ABCD,C=GB
> POST HTTPS_SITE
> User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.27.1 zlib/1.2.3 libidn/1.18 libssh2/1.4.2
> Host: HTTPS_SITE
> Accept: */*
> Cookie: csrftoken=uJipeKYyW3VMNbhocSzDE8xzv1p0t0cW
> X-CSRFToken: uJipeKYyW3VMNbhocSzDE8xzv1p0t0cW
> Content-Length: 39
> Content-Type: application/x-www-form-urlencoded
>
} [data not shown]
  0     0    0     0    0    39      0    201 --:--:-- --:--:-- --:--:--   245< HTTP/1.1 403 FORBIDDEN
< Date: Wed, 23 Oct 2019 11:48:31 GMT
< Server: apache
< Content-Length: 85681
< x-xss-protection: 1; mode=block
< x-content-type-options: nosniff
< Content-Security-Policy: script-src 'self' 'unsafe-inline' 'unsafe-eval' *.google-analytics.com *.doubleclick.net data:;img-src 'self' *.google-analytics.com *.doubleclick.net http://*.tile.osm.org *.tile.osm.org *.gstatic.com data:;style-src 'self' 'unsafe-inline' fonts.googleapis.com;connect-src 'self';frame-src *;child-src 'self' data: *.vimeo.com;object-src 'none'
< strict-transport-security: max-age=31536000; includeSubDomains
< Vary: Accept-Language,Cookie
< Content-Language: en-us
< X-Frame-Options: SAMEORIGIN
< Content-Type: text/html; charset=utf-8
< audited: False
< Set-Cookie: ROUTEID=._SERVER-4326ad1a201e9faba99117a749b1e53d; path=/
<
{ [data not shown]
100 85681  100 85681    0    39   232k    108 --:--:-- --:--:-- --:--:--  257k* Connection #0 to host proxy.intra.site.com left intact

* Closing connection #0

, но я не могу войти в систему, но постоянно получаю 403 - Ошибка CSRF

...