Re: Getting past authentication to Flickr/Yahoo
olegk wrote: Yahoo as well as other high profile sites intentionally make it very difficult to script their login process. Yeah, no kidding! Here's my code...I basically combed there form and create new NameValuePairs for them. They also have hash function onSubmit to MD5 the password and challenge phrase and so I just do that in Java. Still after all my efforts, I can't get passed the login form. Anything you see below that I might be missing? Thanks! String url = https://login.yahoo.com;; int port = 443; HttpClient _client = new HttpClient(); _client.getHostConfiguration().setHost(url, port, https); _client.getState().setCookiePolicy(CookiePolicy.COMPATIBILITY); GetMethod authget = new GetMethod(url); try { _client.executeMethod(authget); } catch (IOException i) { i.printStackTrace(); } // Read the response body. byte[] responseBody = authget.getResponseBody(); String _strGetRspBody = authget.getResponseBodyAsString(); _logger.debug(GetRspBody: + _strGetRspBody); // release any connection resources used by the method authget.releaseConnection(); // Get the .u value int intUStart = _strGetRspBody .indexOf(input type=\hidden\ name=\.u\); intUStart = intUStart + 38; String strU = _strGetRspBody.substring(intUStart, intUStart + 13); _logger.debug(U value from Get: + strU); // Get the .challenge value int intChallengeStart = _strGetRspBody .indexOf(input type=\hidden\ name=\.challenge\); intChallengeStart = intChallengeStart + 46; String strChallenge = _strGetRspBody.substring(intChallengeStart, intChallengeStart + 28); _logger.debug(Challenge value from Get: + strChallenge); //JS Function in Yahoo! form to hash password onSubmit // function hash2(form){var passwd=form.passwd.value // if(!form.passwd.value){return false;} // if(ok_password(passwd)){return true;} // var challenge=form[.challenge].value; // var fullhash=MD5(MD5(passwd)+challenge); // form.passwd.value=fullhash; // form[.md5].value=1;form[.hash].value=1;form[.js].value=1; // return true;} String hashPwd = MD5(MD5(password) + strChallenge); _logger.debug(hashPwd value from Get: + hashPwd); NameValuePair[] nvPairs = new NameValuePair[24]; nvPairs[0] = new NameValuePair(username, user); nvPairs[1] = new NameValuePair(passwd, hashPwd); nvPairs[2] = new NameValuePair(.tries,1); nvPairs[3] = new NameValuePair(.src,flickr); nvPairs[4] = new NameValuePair(.md5,1); nvPairs[5] = new NameValuePair(.hash,1); nvPairs[6] = new NameValuePair(.js,1); nvPairs[7] = new NameValuePair(.last,); nvPairs[8] = new NameValuePair(promo,); nvPairs[9] = new NameValuePair(.intl,us); nvPairs[10] = new NameValuePair(.bypass,); nvPairs[11] = new NameValuePair(.partner,); nvPairs[12] = new NameValuePair(.u,strU); nvPairs[13] = new NameValuePair(.v,0); nvPairs[14] = new NameValuePair(.challenge,strChallenge); nvPairs[15] = new NameValuePair(.yplus,); nvPairs[16] = new NameValuePair(.emailCode,); nvPairs[17] = new NameValuePair(pkg,); nvPairs[18] = new NameValuePair(stepid,); nvPairs[19] = new NameValuePair(.ev,); nvPairs[20] = new NameValuePair(hasMsgr,0); nvPairs[21] = new NameValuePair(.chkP,Y); nvPairs[22] = new NameValuePair(.done,http://www.flickr.com/services/api/tos/;); nvPairs[23] = new NameValuePair(.pd,_ver=0c=ivt=sg=); String strLogonUrl = https://login.yahoo.com/config/login?;; PostMethod authpost = new PostMethod(strLogonUrl); // Prepare login parameters authpost.setRequestBody(nvPairs); try { _client.executeMethod(authpost); } catch (IOException i) { i.printStackTrace(); } String strStatusLine = authpost.getStatusLine().toString(); System.out.println(Login form post: + strStatusLine); String _strPostRspBody =
Re: Getting past authentication to Flickr/Yahoo
On 05/05/2010, lsacco occ...@gmail.com wrote: olegk wrote: Yahoo as well as other high profile sites intentionally make it very difficult to script their login process. Yeah, no kidding! Here's my code...I basically combed there form and create new NameValuePairs for them. They also have hash function onSubmit to MD5 the password and challenge phrase and so I just do that in Java. Still after all my efforts, I can't get passed the login form. Anything you see below that I might be missing? Thanks! Try comparing the HTTP traffic for a successful session from a browser with what your application is sending, and then tweak the code as needed. A protocol analyser such as Wireshark can help with this. String url = https://login.yahoo.com;; int port = 443; HttpClient _client = new HttpClient(); _client.getHostConfiguration().setHost(url, port, https); _client.getState().setCookiePolicy(CookiePolicy.COMPATIBILITY); GetMethod authget = new GetMethod(url); try { _client.executeMethod(authget); } catch (IOException i) { i.printStackTrace(); } // Read the response body. byte[] responseBody = authget.getResponseBody(); String _strGetRspBody = authget.getResponseBodyAsString(); _logger.debug(GetRspBody: + _strGetRspBody); // release any connection resources used by the method authget.releaseConnection(); // Get the .u value int intUStart = _strGetRspBody .indexOf(input type=\hidden\ name=\.u\); intUStart = intUStart + 38; String strU = _strGetRspBody.substring(intUStart, intUStart + 13); _logger.debug(U value from Get: + strU); // Get the .challenge value int intChallengeStart = _strGetRspBody .indexOf(input type=\hidden\ name=\.challenge\); intChallengeStart = intChallengeStart + 46; String strChallenge = _strGetRspBody.substring(intChallengeStart, intChallengeStart + 28); _logger.debug(Challenge value from Get: + strChallenge); //JS Function in Yahoo! form to hash password onSubmit // function hash2(form){var passwd=form.passwd.value // if(!form.passwd.value){return false;} // if(ok_password(passwd)){return true;} // var challenge=form[.challenge].value; // var fullhash=MD5(MD5(passwd)+challenge); // form.passwd.value=fullhash; // form[.md5].value=1;form[.hash].value=1;form[.js].value=1; // return true;} String hashPwd = MD5(MD5(password) + strChallenge); _logger.debug(hashPwd value from Get: + hashPwd); NameValuePair[] nvPairs = new NameValuePair[24]; nvPairs[0] = new NameValuePair(username, user); nvPairs[1] = new NameValuePair(passwd, hashPwd); nvPairs[2] = new NameValuePair(.tries,1); nvPairs[3] = new NameValuePair(.src,flickr); nvPairs[4] = new NameValuePair(.md5,1); nvPairs[5] = new NameValuePair(.hash,1); nvPairs[6] = new NameValuePair(.js,1); nvPairs[7] = new NameValuePair(.last,); nvPairs[8] = new NameValuePair(promo,); nvPairs[9] = new NameValuePair(.intl,us); nvPairs[10] = new NameValuePair(.bypass,); nvPairs[11] = new NameValuePair(.partner,); nvPairs[12] = new NameValuePair(.u,strU); nvPairs[13] = new NameValuePair(.v,0); nvPairs[14] = new NameValuePair(.challenge,strChallenge); nvPairs[15] = new NameValuePair(.yplus,); nvPairs[16] = new NameValuePair(.emailCode,); nvPairs[17] = new NameValuePair(pkg,); nvPairs[18] = new NameValuePair(stepid,); nvPairs[19] = new NameValuePair(.ev,); nvPairs[20] = new NameValuePair(hasMsgr,0); nvPairs[21] = new NameValuePair(.chkP,Y); nvPairs[22] = new NameValuePair(.done,http://www.flickr.com/services/api/tos/;); nvPairs[23] = new NameValuePair(.pd,_ver=0c=ivt=sg=); String strLogonUrl = https://login.yahoo.com/config/login?;; PostMethod authpost = new PostMethod(strLogonUrl); // Prepare login parameters authpost.setRequestBody(nvPairs); try {
Re: Getting past authentication to Flickr/Yahoo
sebb wrote: On 05/05/2010, lsacco occ...@gmail.com wrote: olegk wrote: Yahoo as well as other high profile sites intentionally make it very difficult to script their login process. Yeah, no kidding! Here's my code...I basically combed there form and create new NameValuePairs for them. They also have hash function onSubmit to MD5 the password and challenge phrase and so I just do that in Java. Still after all my efforts, I can't get passed the login form. Anything you see below that I might be missing? Thanks! Try comparing the HTTP traffic for a successful session from a browser with what your application is sending, and then tweak the code as needed. A protocol analyser such as Wireshark can help with this. Perfect advice, the only thing I have to add is that Wireshark isn't much help for https - if you can also log in on http then that will work great. Otherwise you'll need a browser plugin to sniff the packets before they get encrypted. Here is a few options: http://http-sniffer-plugin.qarchive.org/ String url = https://login.yahoo.com;; int port = 443; HttpClient _client = new HttpClient(); _client.getHostConfiguration().setHost(url, port, https); _client.getState().setCookiePolicy(CookiePolicy.COMPATIBILITY); GetMethod authget = new GetMethod(url); try { _client.executeMethod(authget); } catch (IOException i) { i.printStackTrace(); } // Read the response body. byte[] responseBody = authget.getResponseBody(); String _strGetRspBody = authget.getResponseBodyAsString(); _logger.debug(GetRspBody: + _strGetRspBody); // release any connection resources used by the method authget.releaseConnection(); // Get the .u value int intUStart = _strGetRspBody .indexOf(input type=\hidden\ name=\.u\); intUStart = intUStart + 38; String strU = _strGetRspBody.substring(intUStart, intUStart + 13); _logger.debug(U value from Get: + strU); // Get the .challenge value int intChallengeStart = _strGetRspBody .indexOf(input type=\hidden\ name=\.challenge\); intChallengeStart = intChallengeStart + 46; String strChallenge = _strGetRspBody.substring(intChallengeStart, intChallengeStart + 28); _logger.debug(Challenge value from Get: + strChallenge); //JS Function in Yahoo! form to hash password onSubmit // function hash2(form){var passwd=form.passwd.value // if(!form.passwd.value){return false;} // if(ok_password(passwd)){return true;} // var challenge=form[.challenge].value; // var fullhash=MD5(MD5(passwd)+challenge); // form.passwd.value=fullhash; // form[.md5].value=1;form[.hash].value=1;form[.js].value=1; // return true;} String hashPwd = MD5(MD5(password) + strChallenge); _logger.debug(hashPwd value from Get: + hashPwd); NameValuePair[] nvPairs = new NameValuePair[24]; nvPairs[0] = new NameValuePair(username, user); nvPairs[1] = new NameValuePair(passwd, hashPwd); nvPairs[2] = new NameValuePair(.tries,1); nvPairs[3] = new NameValuePair(.src,flickr); nvPairs[4] = new NameValuePair(.md5,1); nvPairs[5] = new NameValuePair(.hash,1); nvPairs[6] = new NameValuePair(.js,1); nvPairs[7] = new NameValuePair(.last,); nvPairs[8] = new NameValuePair(promo,); nvPairs[9] = new NameValuePair(.intl,us); nvPairs[10] = new NameValuePair(.bypass,); nvPairs[11] = new NameValuePair(.partner,); nvPairs[12] = new NameValuePair(.u,strU); nvPairs[13] = new NameValuePair(.v,0); nvPairs[14] = new NameValuePair(.challenge,strChallenge); nvPairs[15] = new NameValuePair(.yplus,); nvPairs[16] = new NameValuePair(.emailCode,); nvPairs[17] = new NameValuePair(pkg,); nvPairs[18] = new NameValuePair(stepid,); nvPairs[19] = new NameValuePair(.ev,); nvPairs[20] = new NameValuePair(hasMsgr,0); nvPairs[21] = new NameValuePair(.chkP,Y); nvPairs[22] = new NameValuePair(.done,http://www.flickr.com/services/api/tos/;); nvPairs[23] = new NameValuePair(.pd,_ver=0c=ivt=sg=); String strLogonUrl =
Re: Getting past authentication to Flickr/Yahoo
On Thu, May 6, 2010 at 1:26 AM, Jeff Davis j...@flyingdiamond.com wrote: sebb wrote: Perfect advice, the only thing I have to add is that Wireshark isn't much help for https - if you can also log in on http then that will work great. In Wireshark : Show the capture options - Capture filter - tcp port http or host target_ip I think it'll help - To unsubscribe, e-mail: httpclient-users-unsubscr...@hc.apache.org For additional commands, e-mail: httpclient-users-h...@hc.apache.org
Re: Getting past authentication to Flickr/Yahoo
John Smith-151 wrote: In Wireshark : Show the capture options - Capture filter - tcp port http or host target_ip I think it'll help But how can you use Wireshark when the login site is HTTPS. Wireshark can only sniff traffic in the clear unless you have the private key for the Web server which I obviously don't. Wireshark just shows me the redirects, but not the actual form submittal. -- View this message in context: http://old.nabble.com/Getting-past-authentication-to-Flickr-Yahoo-tp28440624p28469500.html Sent from the HttpClient-User mailing list archive at Nabble.com. - To unsubscribe, e-mail: httpclient-users-unsubscr...@hc.apache.org For additional commands, e-mail: httpclient-users-h...@hc.apache.org