Re: Getting past authentication to Flickr/Yahoo
olegk wrote:
Yahoo as well as other high profile sites intentionally make it very
difficult to script their login process.
Yeah, no kidding! Here's my code...I basically combed there form and create
new NameValuePairs for them. They also have hash function onSubmit to MD5
the password and challenge phrase and so I just do that in Java. Still
after all my efforts, I can't get passed the login form. Anything you see
below that I might be missing? Thanks!
String url = https://login.yahoo.com;;
int port = 443;
HttpClient _client = new HttpClient();
_client.getHostConfiguration().setHost(url, port, https);
_client.getState().setCookiePolicy(CookiePolicy.COMPATIBILITY);
GetMethod authget = new GetMethod(url);
try {
_client.executeMethod(authget);
} catch (IOException i) {
i.printStackTrace();
}
// Read the response body.
byte[] responseBody = authget.getResponseBody();
String _strGetRspBody = authget.getResponseBodyAsString();
_logger.debug(GetRspBody: + _strGetRspBody);
// release any connection resources used by the method
authget.releaseConnection();
// Get the .u value
int intUStart = _strGetRspBody
.indexOf(input type=\hidden\ name=\.u\);
intUStart = intUStart + 38;
String strU = _strGetRspBody.substring(intUStart, intUStart +
13);
_logger.debug(U value from Get: + strU);
// Get the .challenge value
int intChallengeStart = _strGetRspBody
.indexOf(input type=\hidden\
name=\.challenge\);
intChallengeStart = intChallengeStart + 46;
String strChallenge =
_strGetRspBody.substring(intChallengeStart,
intChallengeStart + 28);
_logger.debug(Challenge value from Get: + strChallenge);
//JS Function in Yahoo! form to hash password onSubmit
// function hash2(form){var passwd=form.passwd.value
// if(!form.passwd.value){return false;}
// if(ok_password(passwd)){return true;}
// var challenge=form[.challenge].value;
// var fullhash=MD5(MD5(passwd)+challenge);
// form.passwd.value=fullhash;
// form[.md5].value=1;form[.hash].value=1;form[.js].value=1;
// return true;}
String hashPwd = MD5(MD5(password) + strChallenge);
_logger.debug(hashPwd value from Get: + hashPwd);
NameValuePair[] nvPairs = new NameValuePair[24];
nvPairs[0] = new NameValuePair(username, user);
nvPairs[1] = new NameValuePair(passwd, hashPwd);
nvPairs[2] = new NameValuePair(.tries,1);
nvPairs[3] = new NameValuePair(.src,flickr);
nvPairs[4] = new NameValuePair(.md5,1);
nvPairs[5] = new NameValuePair(.hash,1);
nvPairs[6] = new NameValuePair(.js,1);
nvPairs[7] = new NameValuePair(.last,);
nvPairs[8] = new NameValuePair(promo,);
nvPairs[9] = new NameValuePair(.intl,us);
nvPairs[10] = new NameValuePair(.bypass,);
nvPairs[11] = new NameValuePair(.partner,);
nvPairs[12] = new NameValuePair(.u,strU);
nvPairs[13] = new NameValuePair(.v,0);
nvPairs[14] = new NameValuePair(.challenge,strChallenge);
nvPairs[15] = new NameValuePair(.yplus,);
nvPairs[16] = new NameValuePair(.emailCode,);
nvPairs[17] = new NameValuePair(pkg,);
nvPairs[18] = new NameValuePair(stepid,);
nvPairs[19] = new NameValuePair(.ev,);
nvPairs[20] = new NameValuePair(hasMsgr,0);
nvPairs[21] = new NameValuePair(.chkP,Y);
nvPairs[22] = new
NameValuePair(.done,http://www.flickr.com/services/api/tos/;);
nvPairs[23] = new NameValuePair(.pd,_ver=0c=ivt=sg=);
String strLogonUrl = https://login.yahoo.com/config/login?;;
PostMethod authpost = new PostMethod(strLogonUrl);
// Prepare login parameters
authpost.setRequestBody(nvPairs);
try {
_client.executeMethod(authpost);
} catch (IOException i) {
i.printStackTrace();
}
String strStatusLine = authpost.getStatusLine().toString();
System.out.println(Login form post: + strStatusLine);
String _strPostRspBody =
Re: Getting past authentication to Flickr/Yahoo
On 05/05/2010, lsacco occ...@gmail.com wrote:
olegk wrote:
Yahoo as well as other high profile sites intentionally make it very
difficult to script their login process.
Yeah, no kidding! Here's my code...I basically combed there form and create
new NameValuePairs for them. They also have hash function onSubmit to MD5
the password and challenge phrase and so I just do that in Java. Still
after all my efforts, I can't get passed the login form. Anything you see
below that I might be missing? Thanks!
Try comparing the HTTP traffic for a successful session from a browser
with what your application is sending, and then tweak the code as
needed.
A protocol analyser such as Wireshark can help with this.
String url = https://login.yahoo.com;;
int port = 443;
HttpClient _client = new HttpClient();
_client.getHostConfiguration().setHost(url, port, https);
_client.getState().setCookiePolicy(CookiePolicy.COMPATIBILITY);
GetMethod authget = new GetMethod(url);
try {
_client.executeMethod(authget);
} catch (IOException i) {
i.printStackTrace();
}
// Read the response body.
byte[] responseBody = authget.getResponseBody();
String _strGetRspBody = authget.getResponseBodyAsString();
_logger.debug(GetRspBody: + _strGetRspBody);
// release any connection resources used by the method
authget.releaseConnection();
// Get the .u value
int intUStart = _strGetRspBody
.indexOf(input type=\hidden\
name=\.u\);
intUStart = intUStart + 38;
String strU = _strGetRspBody.substring(intUStart, intUStart +
13);
_logger.debug(U value from Get: + strU);
// Get the .challenge value
int intChallengeStart = _strGetRspBody
.indexOf(input type=\hidden\
name=\.challenge\);
intChallengeStart = intChallengeStart + 46;
String strChallenge =
_strGetRspBody.substring(intChallengeStart,
intChallengeStart + 28);
_logger.debug(Challenge value from Get: + strChallenge);
//JS Function in Yahoo! form to hash password onSubmit
// function hash2(form){var passwd=form.passwd.value
// if(!form.passwd.value){return false;}
// if(ok_password(passwd)){return true;}
// var challenge=form[.challenge].value;
// var fullhash=MD5(MD5(passwd)+challenge);
// form.passwd.value=fullhash;
//
form[.md5].value=1;form[.hash].value=1;form[.js].value=1;
// return true;}
String hashPwd = MD5(MD5(password) + strChallenge);
_logger.debug(hashPwd value from Get: + hashPwd);
NameValuePair[] nvPairs = new NameValuePair[24];
nvPairs[0] = new NameValuePair(username, user);
nvPairs[1] = new NameValuePair(passwd, hashPwd);
nvPairs[2] = new NameValuePair(.tries,1);
nvPairs[3] = new NameValuePair(.src,flickr);
nvPairs[4] = new NameValuePair(.md5,1);
nvPairs[5] = new NameValuePair(.hash,1);
nvPairs[6] = new NameValuePair(.js,1);
nvPairs[7] = new NameValuePair(.last,);
nvPairs[8] = new NameValuePair(promo,);
nvPairs[9] = new NameValuePair(.intl,us);
nvPairs[10] = new NameValuePair(.bypass,);
nvPairs[11] = new NameValuePair(.partner,);
nvPairs[12] = new NameValuePair(.u,strU);
nvPairs[13] = new NameValuePair(.v,0);
nvPairs[14] = new NameValuePair(.challenge,strChallenge);
nvPairs[15] = new NameValuePair(.yplus,);
nvPairs[16] = new NameValuePair(.emailCode,);
nvPairs[17] = new NameValuePair(pkg,);
nvPairs[18] = new NameValuePair(stepid,);
nvPairs[19] = new NameValuePair(.ev,);
nvPairs[20] = new NameValuePair(hasMsgr,0);
nvPairs[21] = new NameValuePair(.chkP,Y);
nvPairs[22] = new
NameValuePair(.done,http://www.flickr.com/services/api/tos/;);
nvPairs[23] = new NameValuePair(.pd,_ver=0c=ivt=sg=);
String strLogonUrl = https://login.yahoo.com/config/login?;;
PostMethod authpost = new PostMethod(strLogonUrl);
// Prepare login parameters
authpost.setRequestBody(nvPairs);
try {
Re: Getting past authentication to Flickr/Yahoo
sebb wrote:
On 05/05/2010, lsacco occ...@gmail.com wrote:
olegk wrote:
Yahoo as well as other high profile sites intentionally make it very
difficult to script their login process.
Yeah, no kidding! Here's my code...I basically combed there form and create
new NameValuePairs for them. They also have hash function onSubmit to MD5
the password and challenge phrase and so I just do that in Java. Still
after all my efforts, I can't get passed the login form. Anything you see
below that I might be missing? Thanks!
Try comparing the HTTP traffic for a successful session from a browser
with what your application is sending, and then tweak the code as
needed.
A protocol analyser such as Wireshark can help with this.
Perfect advice, the only thing I have to add is that Wireshark isn't
much help for https - if you can also log in on http then that will
work great.
Otherwise you'll need a browser plugin to sniff the packets before they
get encrypted. Here is a few options:
http://http-sniffer-plugin.qarchive.org/
String url = https://login.yahoo.com;;
int port = 443;
HttpClient _client = new HttpClient();
_client.getHostConfiguration().setHost(url, port, https);
_client.getState().setCookiePolicy(CookiePolicy.COMPATIBILITY);
GetMethod authget = new GetMethod(url);
try {
_client.executeMethod(authget);
} catch (IOException i) {
i.printStackTrace();
}
// Read the response body.
byte[] responseBody = authget.getResponseBody();
String _strGetRspBody = authget.getResponseBodyAsString();
_logger.debug(GetRspBody: + _strGetRspBody);
// release any connection resources used by the method
authget.releaseConnection();
// Get the .u value
int intUStart = _strGetRspBody
.indexOf(input type=\hidden\ name=\.u\);
intUStart = intUStart + 38;
String strU = _strGetRspBody.substring(intUStart, intUStart +
13);
_logger.debug(U value from Get: + strU);
// Get the .challenge value
int intChallengeStart = _strGetRspBody
.indexOf(input type=\hidden\
name=\.challenge\);
intChallengeStart = intChallengeStart + 46;
String strChallenge =
_strGetRspBody.substring(intChallengeStart,
intChallengeStart + 28);
_logger.debug(Challenge value from Get: + strChallenge);
//JS Function in Yahoo! form to hash password onSubmit
// function hash2(form){var passwd=form.passwd.value
// if(!form.passwd.value){return false;}
// if(ok_password(passwd)){return true;}
// var challenge=form[.challenge].value;
// var fullhash=MD5(MD5(passwd)+challenge);
// form.passwd.value=fullhash;
// form[.md5].value=1;form[.hash].value=1;form[.js].value=1;
// return true;}
String hashPwd = MD5(MD5(password) + strChallenge);
_logger.debug(hashPwd value from Get: + hashPwd);
NameValuePair[] nvPairs = new NameValuePair[24];
nvPairs[0] = new NameValuePair(username, user);
nvPairs[1] = new NameValuePair(passwd, hashPwd);
nvPairs[2] = new NameValuePair(.tries,1);
nvPairs[3] = new NameValuePair(.src,flickr);
nvPairs[4] = new NameValuePair(.md5,1);
nvPairs[5] = new NameValuePair(.hash,1);
nvPairs[6] = new NameValuePair(.js,1);
nvPairs[7] = new NameValuePair(.last,);
nvPairs[8] = new NameValuePair(promo,);
nvPairs[9] = new NameValuePair(.intl,us);
nvPairs[10] = new NameValuePair(.bypass,);
nvPairs[11] = new NameValuePair(.partner,);
nvPairs[12] = new NameValuePair(.u,strU);
nvPairs[13] = new NameValuePair(.v,0);
nvPairs[14] = new NameValuePair(.challenge,strChallenge);
nvPairs[15] = new NameValuePair(.yplus,);
nvPairs[16] = new NameValuePair(.emailCode,);
nvPairs[17] = new NameValuePair(pkg,);
nvPairs[18] = new NameValuePair(stepid,);
nvPairs[19] = new NameValuePair(.ev,);
nvPairs[20] = new NameValuePair(hasMsgr,0);
nvPairs[21] = new NameValuePair(.chkP,Y);
nvPairs[22] = new
NameValuePair(.done,http://www.flickr.com/services/api/tos/;);
nvPairs[23] = new NameValuePair(.pd,_ver=0c=ivt=sg=);
String strLogonUrl =
Re: Getting past authentication to Flickr/Yahoo
On Thu, May 6, 2010 at 1:26 AM, Jeff Davis j...@flyingdiamond.com wrote: sebb wrote: Perfect advice, the only thing I have to add is that Wireshark isn't much help for https - if you can also log in on http then that will work great. In Wireshark : Show the capture options - Capture filter - tcp port http or host target_ip I think it'll help - To unsubscribe, e-mail: httpclient-users-unsubscr...@hc.apache.org For additional commands, e-mail: httpclient-users-h...@hc.apache.org
Re: Getting past authentication to Flickr/Yahoo
John Smith-151 wrote: In Wireshark : Show the capture options - Capture filter - tcp port http or host target_ip I think it'll help But how can you use Wireshark when the login site is HTTPS. Wireshark can only sniff traffic in the clear unless you have the private key for the Web server which I obviously don't. Wireshark just shows me the redirects, but not the actual form submittal. -- View this message in context: http://old.nabble.com/Getting-past-authentication-to-Flickr-Yahoo-tp28440624p28469500.html Sent from the HttpClient-User mailing list archive at Nabble.com. - To unsubscribe, e-mail: httpclient-users-unsubscr...@hc.apache.org For additional commands, e-mail: httpclient-users-h...@hc.apache.org
