hc-httpclient-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jeff Davis <j...@FlyingDiamond.com>
Subject Re: Getting past authentication to Flickr/Yahoo
Date Wed, 05 May 2010 22:26:45 GMT
sebb wrote:
> On 05/05/2010, lsacco <occasl@gmail.com> wrote:
>   
>>  olegk wrote:
>>  >
>>  > Yahoo as well as other high profile sites intentionally make it very
>>  > difficult to script their login process.
>>  >
>>
>>
>> Yeah, no kidding!  Here's my code...I basically combed there form and create
>>  new NameValuePairs for them.  They also have hash function onSubmit to MD5
>>  the password and challenge phrase and so I just do that in Java.  Still
>>  after all my efforts, I can't get passed the login form.  Anything you see
>>  below that I might be missing?  Thanks!
>>     
>
> Try comparing the HTTP traffic for a successful session from a browser
> with what your application is sending, and then tweak the code as
> needed.
>
> A protocol analyser such as Wireshark can help with this.
>   
Perfect advice, the only thing I have to add is that Wireshark isn't 
much help for https  -  if you can also log in on http then that will 
work great.

Otherwise you'll need a browser plugin to sniff the packets before they 
get encrypted.  Here is a few options:

http://http-sniffer-plugin.qarchive.org/

>   
>>                 String url = "https://login.yahoo.com";
>>                 int port = 443;
>>
>>                 HttpClient _client = new HttpClient();
>>                 _client.getHostConfiguration().setHost(url, port, "https");
>>                 _client.getState().setCookiePolicy(CookiePolicy.COMPATIBILITY);
>>
>>                 GetMethod authget = new GetMethod(url);
>>
>>                 try {
>>                         _client.executeMethod(authget);
>>                 } catch (IOException i) {
>>                         i.printStackTrace();
>>                 }
>>
>>                 // Read the response body.
>>                 byte[] responseBody = authget.getResponseBody();
>>                 String _strGetRspBody = authget.getResponseBodyAsString();
>>                 _logger.debug("GetRspBody: " + _strGetRspBody);
>>
>>                 // release any connection resources used by the method
>>                 authget.releaseConnection();
>>
>>                 // Get the .u value
>>                 int intUStart = _strGetRspBody
>>                                 .indexOf("<input type=\"hidden\" name=\".u\"");
>>                 intUStart = intUStart + 38;
>>                 String strU = _strGetRspBody.substring(intUStart, intUStart + 13);
>>                 _logger.debug("U value from Get: " + strU);
>>
>>                 // Get the .challenge value
>>                 int intChallengeStart = _strGetRspBody
>>                                 .indexOf("<input type=\"hidden\" name=\".challenge\"");
>>                 intChallengeStart = intChallengeStart + 46;
>>                 String strChallenge = _strGetRspBody.substring(intChallengeStart,
>>                                 intChallengeStart + 28);
>>                 _logger.debug("Challenge value from Get: " + strChallenge);
>>
>>                 //JS Function in Yahoo! form to hash password onSubmit
>>  //              function hash2(form){var passwd=form.passwd.value
>>  //              if(!form.passwd.value){return false;}
>>  //              if(ok_password(passwd)){return true;}
>>  //              var challenge=form[".challenge"].value;
>>  //              var fullhash=MD5(MD5(passwd)+challenge);
>>  //              form.passwd.value=fullhash;
>>  //              form[".md5"].value=1;form[".hash"].value=1;form[".js"].value=1;
>>  //              return true;}
>>                 String hashPwd = MD5(MD5(password) + strChallenge);
>>                 _logger.debug("hashPwd value from Get: " + hashPwd);
>>
>>                 NameValuePair[] nvPairs = new NameValuePair[24];
>>                 nvPairs[0] = new NameValuePair("username", user);
>>                 nvPairs[1] = new NameValuePair("passwd", hashPwd);
>>                 nvPairs[2] = new NameValuePair(".tries","1");
>>                 nvPairs[3] = new NameValuePair(".src","flickr");
>>                 nvPairs[4] = new NameValuePair(".md5","1");
>>                 nvPairs[5] = new NameValuePair(".hash","1");
>>                 nvPairs[6] = new NameValuePair(".js","1");
>>                 nvPairs[7] = new NameValuePair(".last","");
>>                 nvPairs[8] = new NameValuePair("promo","");
>>                 nvPairs[9] = new NameValuePair(".intl","us");
>>                 nvPairs[10] = new NameValuePair(".bypass","");
>>                 nvPairs[11] = new NameValuePair(".partner","");
>>                 nvPairs[12] = new NameValuePair(".u",strU);
>>                 nvPairs[13] = new NameValuePair(".v","0");
>>                 nvPairs[14] = new NameValuePair(".challenge",strChallenge);
>>                 nvPairs[15] = new NameValuePair(".yplus","");
>>                 nvPairs[16] = new NameValuePair(".emailCode","");
>>                 nvPairs[17] = new NameValuePair("pkg","");
>>                 nvPairs[18] = new NameValuePair("stepid","");
>>                 nvPairs[19] = new NameValuePair(".ev","");
>>                 nvPairs[20] = new NameValuePair("hasMsgr","0");
>>                 nvPairs[21] = new NameValuePair(".chkP","Y");
>>                 nvPairs[22] = new
>>  NameValuePair(".done","http://www.flickr.com/services/api/tos/");
>>                 nvPairs[23] = new NameValuePair(".pd","_ver=0&c=&ivt=&sg=");
>>
>>                 String strLogonUrl = "https://login.yahoo.com/config/login?";
>>                 PostMethod authpost = new PostMethod(strLogonUrl);
>>
>>                 // Prepare login parameters
>>                 authpost.setRequestBody(nvPairs);
>>
>>                 try {
>>                         _client.executeMethod(authpost);
>>                 } catch (IOException i) {
>>                         i.printStackTrace();
>>                 }
>>
>>                 String strStatusLine = authpost.getStatusLine().toString();
>>                 System.out.println("Login form post: " + strStatusLine);
>>
>>                 String _strPostRspBody = authpost.getResponseBodyAsString();
>>                 _logger.debug("Response Body from Post: \n" + _strPostRspBody);
>>
>>                 // release any connection resources used by the method
>>                 authpost.releaseConnection();
>>
>>
>>  --
>>  View this message in context: http://old.nabble.com/Getting-past-authentication-to-Flickr-Yahoo-tp28440624p28466685.html
>>
>> Sent from the HttpClient-User mailing list archive at Nabble.com.
>>
>>
>>  ---------------------------------------------------------------------
>>
>> To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
>>  For additional commands, e-mail: httpclient-users-help@hc.apache.org
>>
>>
>>     
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
> For additional commands, e-mail: httpclient-users-help@hc.apache.org
>
>
>   


---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org


Mime
View raw message