hc-httpclient-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From sebb <seb...@gmail.com>
Subject Re: Getting past authentication to Flickr/Yahoo
Date Wed, 05 May 2010 23:15:11 GMT
On 05/05/2010, lsacco <occasl@gmail.com> wrote:
>
>
>  olegk wrote:
>  >
>  > Yahoo as well as other high profile sites intentionally make it very
>  > difficult to script their login process.
>  >
>
>
> Yeah, no kidding!  Here's my code...I basically combed there form and create
>  new NameValuePairs for them.  They also have hash function onSubmit to MD5
>  the password and challenge phrase and so I just do that in Java.  Still
>  after all my efforts, I can't get passed the login form.  Anything you see
>  below that I might be missing?  Thanks!

Try comparing the HTTP traffic for a successful session from a browser
with what your application is sending, and then tweak the code as
needed.

A protocol analyser such as Wireshark can help with this.

>                 String url = "https://login.yahoo.com";
>                 int port = 443;
>
>                 HttpClient _client = new HttpClient();
>                 _client.getHostConfiguration().setHost(url, port, "https");
>                 _client.getState().setCookiePolicy(CookiePolicy.COMPATIBILITY);
>
>                 GetMethod authget = new GetMethod(url);
>
>                 try {
>                         _client.executeMethod(authget);
>                 } catch (IOException i) {
>                         i.printStackTrace();
>                 }
>
>                 // Read the response body.
>                 byte[] responseBody = authget.getResponseBody();
>                 String _strGetRspBody = authget.getResponseBodyAsString();
>                 _logger.debug("GetRspBody: " + _strGetRspBody);
>
>                 // release any connection resources used by the method
>                 authget.releaseConnection();
>
>                 // Get the .u value
>                 int intUStart = _strGetRspBody
>                                 .indexOf("<input type=\"hidden\" name=\".u\"");
>                 intUStart = intUStart + 38;
>                 String strU = _strGetRspBody.substring(intUStart, intUStart + 13);
>                 _logger.debug("U value from Get: " + strU);
>
>                 // Get the .challenge value
>                 int intChallengeStart = _strGetRspBody
>                                 .indexOf("<input type=\"hidden\" name=\".challenge\"");
>                 intChallengeStart = intChallengeStart + 46;
>                 String strChallenge = _strGetRspBody.substring(intChallengeStart,
>                                 intChallengeStart + 28);
>                 _logger.debug("Challenge value from Get: " + strChallenge);
>
>                 //JS Function in Yahoo! form to hash password onSubmit
>  //              function hash2(form){var passwd=form.passwd.value
>  //              if(!form.passwd.value){return false;}
>  //              if(ok_password(passwd)){return true;}
>  //              var challenge=form[".challenge"].value;
>  //              var fullhash=MD5(MD5(passwd)+challenge);
>  //              form.passwd.value=fullhash;
>  //              form[".md5"].value=1;form[".hash"].value=1;form[".js"].value=1;
>  //              return true;}
>                 String hashPwd = MD5(MD5(password) + strChallenge);
>                 _logger.debug("hashPwd value from Get: " + hashPwd);
>
>                 NameValuePair[] nvPairs = new NameValuePair[24];
>                 nvPairs[0] = new NameValuePair("username", user);
>                 nvPairs[1] = new NameValuePair("passwd", hashPwd);
>                 nvPairs[2] = new NameValuePair(".tries","1");
>                 nvPairs[3] = new NameValuePair(".src","flickr");
>                 nvPairs[4] = new NameValuePair(".md5","1");
>                 nvPairs[5] = new NameValuePair(".hash","1");
>                 nvPairs[6] = new NameValuePair(".js","1");
>                 nvPairs[7] = new NameValuePair(".last","");
>                 nvPairs[8] = new NameValuePair("promo","");
>                 nvPairs[9] = new NameValuePair(".intl","us");
>                 nvPairs[10] = new NameValuePair(".bypass","");
>                 nvPairs[11] = new NameValuePair(".partner","");
>                 nvPairs[12] = new NameValuePair(".u",strU);
>                 nvPairs[13] = new NameValuePair(".v","0");
>                 nvPairs[14] = new NameValuePair(".challenge",strChallenge);
>                 nvPairs[15] = new NameValuePair(".yplus","");
>                 nvPairs[16] = new NameValuePair(".emailCode","");
>                 nvPairs[17] = new NameValuePair("pkg","");
>                 nvPairs[18] = new NameValuePair("stepid","");
>                 nvPairs[19] = new NameValuePair(".ev","");
>                 nvPairs[20] = new NameValuePair("hasMsgr","0");
>                 nvPairs[21] = new NameValuePair(".chkP","Y");
>                 nvPairs[22] = new
>  NameValuePair(".done","http://www.flickr.com/services/api/tos/");
>                 nvPairs[23] = new NameValuePair(".pd","_ver=0&c=&ivt=&sg=");
>
>                 String strLogonUrl = "https://login.yahoo.com/config/login?";
>                 PostMethod authpost = new PostMethod(strLogonUrl);
>
>                 // Prepare login parameters
>                 authpost.setRequestBody(nvPairs);
>
>                 try {
>                         _client.executeMethod(authpost);
>                 } catch (IOException i) {
>                         i.printStackTrace();
>                 }
>
>                 String strStatusLine = authpost.getStatusLine().toString();
>                 System.out.println("Login form post: " + strStatusLine);
>
>                 String _strPostRspBody = authpost.getResponseBodyAsString();
>                 _logger.debug("Response Body from Post: \n" + _strPostRspBody);
>
>                 // release any connection resources used by the method
>                 authpost.releaseConnection();
>
>
>  --
>  View this message in context: http://old.nabble.com/Getting-past-authentication-to-Flickr-Yahoo-tp28440624p28466685.html
>
> Sent from the HttpClient-User mailing list archive at Nabble.com.
>
>
>  ---------------------------------------------------------------------
>
> To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
>  For additional commands, e-mail: httpclient-users-help@hc.apache.org
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org


Mime
View raw message