Re: [PHP] CURL de-bugging: So why am I not getting the results page on the target site?

[ioannes]

I would like someone to help me on this outside the group discussion.  
Is there anyone out there that would look at a curl problem with me?


Thanks,

John

ioannes wrote:
My current theory on this is that the initial input page creates a 
per-session cookie.  Is CURL able to send this when the page is 
submitted and if so how do I find out the name and value of the cookie 
as per my reading it is not stored on the computer, though I reckon it 
must be there somewhere.


The initial page is in this format:
https://www.targetsite.com/subdir/page.asp?serialno=GM201&OtherCode=&NextCode= 



So I have various GET parameters.

The initial input page also has POST parameters which I can see the in 
page source, and so send via CURL.


I cannot find any javascript doing a set_cookie, including in any 
included files of which there are none anyway.  But there is some 
session going on as the serialno parameter is not in a hidden field or 
explicitly set cookie, so it must be a per-session cookie maybe with a 
different name, I reason.  How do I find out about these?


John

ioannes wrote:
My code is as below.  It comes back with 'Bad session variable name - 
CompanySerialNo' from the site.but the COOKIEJAR does not show this 
variable name and it is not sent, it just shows:


www.targetsite.comFALSE/FALSE0
ASPSESSIONIDQCSQDTABLKAONANAFJPNMFFECLFNCLBP


There is a serialno but that is sent in the GET (URL below).  
Question is: What to test now?  I am trying to get a results page 
from an input page.


What code below is trying to do is access the page, get any cookies 
set then try the page again with the relevant inputs.


   
$url="https://www.targetsite.com/subdir/page.asp?serialno=GM201&OtherCode=&NextCode=";; 



   $ch = curl_init();
   curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);

   curl_setopt ($ch, CURLOPT_COOKIEJAR, "cookies.txt");
   curl_setopt ($ch, CURLOPT_COOKIEFILE, "cookies.txt");

   curl_setopt($ch, CURLOPT_HEADER, 0);
 curl_setopt($ch, CURLOPT_AUTOREFERER, true);

   curl_setopt($ch, CURLOPT_URL, $url);
  /*
//GET list from submitting POST form as GET
https://www.shortstay-london.com/checkavail.asp?
1 - clock=+09%3A54
2 - &StartDay=6
3 - &StartMonth=September+%3A+2008
4 - &EndDay=13
5 - &EndMonth=September+%3A+2008
13 - &CheckThis=Check+This

use this list to create POST data
*/

   curl_setopt($ch, CURLOPT_POST, 1);
 $curlPost=array();

   $curlPost["clock"]=" 09:54";
   $curlPost["StartDay"]="6";
   $curlPost["StartMonth"]="September : 2008";
   $curlPost["EndDay"]="13";
   $curlPost["EndMonth"]="September : 2008";
   //etc
   $curlPost["CheckThis"]="Check This";

   curl_setopt($ch, CURLOPT_POSTFIELDS,$curlPost);
 
   curl_setopt($ch, CURLOPT_FOLLOWLOCATION  ,1);

   curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);

   $store = curl_exec ($ch);
 curl_close ($ch);
 print($store);
  ?>





--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] CURL de-bugging: So why am I not getting the results page on the target site?

[ioannes]

The way this page works is you access index.asp?SerialNo=abc123 from a 
link, that is re-directed to a frameset containing the main page, 
main.asp, just that.   main.asp does not have any  fields showing 
the SerialNo, there is a comment with it but that is all.  Fom this 
page, you input some dates and submit, and the form action is on a page 
like /checkthis.asp.  What I can't see is how /checkthis.asp knows the 
SerialNo, which it needs.  Is there some other way that asp pages 
transfer information between pages?  I looked at the cache for IE after 
each page load and it does not have SerialNo as cookies or any cookies 
from this site other than google conversion tracking. 

On main.asp the button that submits the form does not refer to the 
SerialNo either.  Nevertheless the results page creates the relevant 
data from the database.  But it does produce error messages like, The 
Object has been  Moved here, with my site plus 
?lngSessionId=234984987&SerialNo=abd123&WinMode=&AgentCode=&CustCode=.   
If I add these parameters to the target URL in the CURL script it looks 
for displaymode (the message with my url in the display line at end of 
browser window: www.mysite.com/displaymode=). 


John

ioannes wrote:
My current theory on this is that the initial input page creates a 
per-session cookie.  Is CURL able to send this when the page is 
submitted and if so how do I find out the name and value of the cookie 
as per my reading it is not stored on the computer, though I reckon it 
must be there somewhere.


The initial page is in this format:
https://www.targetsite.com/subdir/page.asp?serialno=GM201&OtherCode=&NextCode= 



So I have various GET parameters.

The initial input page also has POST parameters which I can see the in 
page source, and so send via CURL.


I cannot find any javascript doing a set_cookie, including in any 
included files of which there are none anyway.  But there is some 
session going on as the serialno parameter is not in a hidden field or 
explicitly set cookie, so it must be a per-session cookie maybe with a 
different name, I reason.  How do I find out about these?


John

ioannes wrote:
My code is as below.  It comes back with 'Bad session variable name - 
CompanySerialNo' from the site.but the COOKIEJAR does not show this 
variable name and it is not sent, it just shows:


www.targetsite.comFALSE/FALSE0
ASPSESSIONIDQCSQDTABLKAONANAFJPNMFFECLFNCLBP


There is a serialno but that is sent in the GET (URL below).  
Question is: What to test now?  I am trying to get a results page 
from an input page.


What code below is trying to do is access the page, get any cookies 
set then try the page again with the relevant inputs.


   
$url="https://www.targetsite.com/subdir/page.asp?serialno=GM201&OtherCode=&NextCode=";; 



   $ch = curl_init();
   curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);

   curl_setopt ($ch, CURLOPT_COOKIEJAR, "cookies.txt");
   curl_setopt ($ch, CURLOPT_COOKIEFILE, "cookies.txt");

   curl_setopt($ch, CURLOPT_HEADER, 0);
 curl_setopt($ch, CURLOPT_AUTOREFERER, true);

   curl_setopt($ch, CURLOPT_URL, $url);
  /*
//GET list from submitting POST form as GET
https://www.shortstay-london.com/checkavail.asp?
1 - clock=+09%3A54
2 - &StartDay=6
3 - &StartMonth=September+%3A+2008
4 - &EndDay=13
5 - &EndMonth=September+%3A+2008
13 - &CheckThis=Check+This

use this list to create POST data
*/

   curl_setopt($ch, CURLOPT_POST, 1);
 $curlPost=array();

   $curlPost["clock"]=" 09:54";
   $curlPost["StartDay"]="6";
   $curlPost["StartMonth"]="September : 2008";
   $curlPost["EndDay"]="13";
   $curlPost["EndMonth"]="September : 2008";
   //etc
   $curlPost["CheckThis"]="Check This";

   curl_setopt($ch, CURLOPT_POSTFIELDS,$curlPost);
 
   curl_setopt($ch, CURLOPT_FOLLOWLOCATION  ,1);

   curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);

   $store = curl_exec ($ch);
 curl_close ($ch);
 print($store);
  ?>





--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] CURL de-bugging: So why am I not getting the results page on the target site?

[ioannes]

My current theory on this is that the initial input page creates a 
per-session cookie.  Is CURL able to send this when the page is 
submitted and if so how do I find out the name and value of the cookie 
as per my reading it is not stored on the computer, though I reckon it 
must be there somewhere.


The initial page is in this format:
https://www.targetsite.com/subdir/page.asp?serialno=GM201&OtherCode=&NextCode=

So I have various GET parameters.

The initial input page also has POST parameters which I can see the in 
page source, and so send via CURL.


I cannot find any javascript doing a set_cookie, including in any 
included files of which there are none anyway.  But there is some 
session going on as the serialno parameter is not in a hidden field or 
explicitly set cookie, so it must be a per-session cookie maybe with a 
different name, I reason.  How do I find out about these?


John

ioannes wrote:
My code is as below.  It comes back with 'Bad session variable name - 
CompanySerialNo' from the site.but the COOKIEJAR does not show this 
variable name and it is not sent, it just shows:


www.targetsite.comFALSE/FALSE0
ASPSESSIONIDQCSQDTABLKAONANAFJPNMFFECLFNCLBP


There is a serialno but that is sent in the GET (URL below).  Question 
is: What to test now?  I am trying to get a results page from an input 
page.


What code below is trying to do is access the page, get any cookies 
set then try the page again with the relevant inputs.


   
$url="https://www.targetsite.com/subdir/page.asp?serialno=GM201&OtherCode=&NextCode=";; 



   $ch = curl_init();
   curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);

   curl_setopt ($ch, CURLOPT_COOKIEJAR, "cookies.txt");
   curl_setopt ($ch, CURLOPT_COOKIEFILE, "cookies.txt");

   curl_setopt($ch, CURLOPT_HEADER, 0);
 curl_setopt($ch, CURLOPT_AUTOREFERER, true);

   curl_setopt($ch, CURLOPT_URL, $url);
  /*
//GET list from submitting POST form as GET
https://www.shortstay-london.com/checkavail.asp?
1 - clock=+09%3A54
2 - &StartDay=6
3 - &StartMonth=September+%3A+2008
4 - &EndDay=13
5 - &EndMonth=September+%3A+2008
13 - &CheckThis=Check+This

use this list to create POST data
*/

   curl_setopt($ch, CURLOPT_POST, 1);
 $curlPost=array();

   $curlPost["clock"]=" 09:54";
   $curlPost["StartDay"]="6";
   $curlPost["StartMonth"]="September : 2008";
   $curlPost["EndDay"]="13";
   $curlPost["EndMonth"]="September : 2008";
   //etc
   $curlPost["CheckThis"]="Check This";

   curl_setopt($ch, CURLOPT_POSTFIELDS,$curlPost);
 
   curl_setopt($ch, CURLOPT_FOLLOWLOCATION  ,1);

   curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);

   $store = curl_exec ($ch);
 curl_close ($ch);
 print($store);
  ?>



--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] CURL de-bugging: So why am I not getting the results page on the target site?

[ioannes]

My code is as below.  It comes back with 'Bad session variable name - 
CompanySerialNo' from the site.but the COOKIEJAR does not show this 
variable name and it is not sent, it just shows:


www.targetsite.comFALSE/FALSE0
ASPSESSIONIDQCSQDTABLKAONANAFJPNMFFECLFNCLBP


There is a serialno but that is sent in the (URL below).  Question is: 
What to test now?  I am trying to get a results page from an input page.


What code below is trying to do is access the page, get any cookies set 
then try the page again with the relevant inputs.


   
$url="https://www.targetsite.com/subdir/page.asp?serialno=GM201&OtherCode=&NextCode=";;


   $ch = curl_init();
   curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);

   curl_setopt ($ch, CURLOPT_COOKIEJAR, "cookies.txt");
   curl_setopt ($ch, CURLOPT_COOKIEFILE, "cookies.txt");

   curl_setopt($ch, CURLOPT_HEADER, 0);
  
   curl_setopt($ch, CURLOPT_AUTOREFERER, true);


   curl_setopt($ch, CURLOPT_URL, $url);
  
/*

//GET list from submitting POST form as GET
https://www.shortstay-london.com/checkavail.asp?
1 - clock=+09%3A54
2 - &StartDay=6
3 - &StartMonth=September+%3A+2008
4 - &EndDay=13
5 - &EndMonth=September+%3A+2008
13 - &CheckThis=Check+This

use this list to create POST data
*/

   curl_setopt($ch, CURLOPT_POST, 1);
  
   $curlPost=array();


   $curlPost["clock"]=" 09:54";
   $curlPost["StartDay"]="6";
   $curlPost["StartMonth"]="September : 2008";
   $curlPost["EndDay"]="13";
   $curlPost["EndMonth"]="September : 2008";
   //etc
   $curlPost["CheckThis"]="Check This";

   curl_setopt($ch, CURLOPT_POSTFIELDS,$curlPost);
 
   curl_setopt($ch, CURLOPT_FOLLOWLOCATION  ,1);

   curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);

   $store = curl_exec ($ch);
  
   curl_close ($ch);
  
   print($store);
  
?>


--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

RE: [PHP] CURL de-bugging: So why am I not getting the results page on the target site?

[Boyd, Todd M.]

> -Original Message-
> From: Chris [mailto:[EMAIL PROTECTED]
> Sent: Tuesday, July 01, 2008 9:42 PM
> To: [EMAIL PROTECTED]
> Cc: php-general@lists.php.net
> Subject: Re: [PHP] CURL de-bugging: So why am I not getting the
results
> page on the target site?
> 
> ioannes wrote:
> > I didn't get any brave response on this, but given the other thread
> on
> > 'encription' I was wondering could anyone decrypt the __VIEWSTATE
> string
> > at the end of this message.  It is part of the input page whose
> results
> > page I am trying to retrieve back onto my server for further php
> work.
> > I replicated the source from that input page onto a page on my
> server,
> > and when I click the submit button it correctly goes to the target
> > results page, on the other site though, however it did not work
> without
> > the whole of the string below.  The experiment proved though that
> > without the __VIEWSTATE the results page will not return.  So I am
> just
> > wondering, as I have not been able to repeat this using curl, what
> the
> >  is included in that string. There's a challenge for anyone with
> > whatever resources it takes.
> 
> echo base64_decode($view_state_string);
> 
> viewstate in asp.net is like sessions in php (I believe, I could be
> completely wrong :P).

Ehrm... you're not *completely* wrong. ;) I do most of my programming at
work in ASP.NET/VB.NET, and I've come to understand that the VIEWSTATE
in an ASP.NET page is more or less for retaining form values and
client-side settings. IIS/ASP.NET still uses sessions--and in much the
same way as PHP.


Todd Boyd
Web Programmer




--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] CURL de-bugging: So why am I not getting the results page on the target site?

[ioannes]

Thanks Chris and Andrew,

An interesting article here on VIEWSTATE in asp: 
http://www.dotnetjohn.com/articles.aspx?articleid=71 refers to MAC 
encoding using SHA1 or MD5, alternatively Triple DES symmetric 
algorithm.  However, in either event, VIEWSTATE seems to be just what is 
sent by the server which the server expects to receive back unmodified.  
I tried the same input form as on the target server on a test page on my 
site with the action on the form to the target server and that works OK 
to get the results page on the target server.  I have also tested on my 
server that the CURL POST variables are giving sensible inputs like the 
ones that the page would produce on GET.  In the process, I also learned 
that colons in the POST variable names don't need to be changed for HTML 
encoding, spaces in the variable values do need to be, anyway the POST 
variables seem to work OK as I said.  Whatever is or is not being sent 
by the script as opposed to the input form on a test page of my site is 
the difference that I am looking for.  I will try another site see can I 
learn anything in the process.


Oh, and decoding the string as suggested 
(print_r(base64_decode($view_state_string));) gives one value in the 
array and a mixture of English and other characters plus most of the 
page: eg 
d
2Ö8

 Version=0.0.0.0, and other 
characters that do not copy to this email etc.  As above, I don't see 
that this is interfering with CURLing the results page if it is simply 
sent back in the post.


John

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] CURL de-bugging: So why am I not getting the results page on the target site?

[Andrew Ballard]

On Tue, Jul 1, 2008 at 5:23 PM, ioannes <[EMAIL PROTECTED]> wrote:
> I didn't get any brave response on this, but given the other thread on
> 'encription' I was wondering could anyone decrypt the __VIEWSTATE string at
> the end of this message.  It is part of the input page whose results page I
> am trying to retrieve back onto my server for further php work.  I
> replicated the source from that input page onto a page on my server, and
> when I click the submit button it correctly goes to the target results page,
> on the other site though, however it did not work without the whole of the
> string below.  The experiment proved though that without the __VIEWSTATE the
> results page will not return.  So I am just wondering, as I have not been
> able to repeat this using curl, what the  is included in that string.
> There's a challenge for anyone with whatever resources it takes.
>
> John
>
>
> ioannes wrote:
>>
>> For those that like CURL and calendars.
>> ...
>>
>> VIEWSTATE
>>
>> curl_setopt($ch,
>> CURLOPT_POSTFIELDS,"__VIEWSTATE=/wEPDwUKMTMyMjM3NTUzNw9kFgZmDxYCHgRUZXh0BYcMPHRhYmxlIGFsaWduPSJjZW50ZXIiIGNlbGxwYWRkaW5nPSIwIiBjZWxsc3BhY2luZz0iMCIgYm9yZGVyPSIwIj48dHI+PHRkPg0KPHVsIGlkPSJza2lwIj4NCiA8bGk+PGEgaHJlZj0iI21haW4iPlNraXAgdG8gbWFpbiBjb250ZW50PC9hPjwvbGk+DQo8L3VsPg0KPGRpdiBpZD0id3JhcHBlciIgY2xhc3M9ImNsZWFyIj4NCiA8ZGl2IGlkPSJoZWFkZXIiPg0KICAgICAgICAgICAgPGgxPg0KICAgICAgICAgICAgICAgIDxhIGhyZWY9Imh0dHA6Ly93d3cuZG9scGhpbnNxdWFyZS5jby51ay9ob3VzZS8iIHRpdGxlPSJEb2xwaGluIEhvdXNlIGhvbWUgcGFnZSI+RG9scGhpbg0KICAgICAgICAgICAgICAgICAgICBIb3VzZTwvYT48L2gxPg0KICAgICAgICAgICAgPGRpdiBpZD0ibmF2aWdhdGlvbiI+DQogICAgICAgICAgICAgICAgPHVsIGlkPSJuYXZfbWFpbiI+DQogICAgICAgICAgICAgICAgICAgIDxsaSBjbGFzcz0iYWJvdXQiPjxhIGhyZWY9Imh0dHA6Ly93d3cuZG9scGhpbnNxdWFyZS5jby51ay9ob3VzZS9hYm91dC8iIHRpdGxlPSJBYm91dCBEb2xwaGluIEhvdXNlIj4NCiAgICAgICAgICAgICAgICAgICAgICAgIEFib3V0IHVzPC9hPiA8L2xpPg0KICAgICAgICAgICAgICAgICAgICA8bGkgY2xhc3M9ImFyZWEiPjxhIGhyZWY9Imh0dHA6Ly93d3cuZG9scGhpbnNxdWFyZS5jby51ay9ob3VzZS90aGVhcmVhLyIgdGl0bGU9IlRoZSBhcmVhIj4NCiAgICAgICAgICAgICAgICAgICAgICAgIFRoZSBhcmVhPC9hPiA8L2xpPg0KICAgICAgICAgICAgICAgICAgICA8bGkgY2xhc3M9ImZhY2lsaXRpZXMiPjxhIGhyZWY9Imh0dHA6Ly93d3cuZG9scGhpbnNxdWFyZS5jby51ay9ob3VzZS9mYWNpbGl0aWVzLyINCiAgICAgICAgICAgICAgICAgICAgICAgIHRpdGxlPSJGYWNpbGl0aWVzIj5GYWNpbGl0aWVzPC9hPiA8L2xpPg0KICAgICAgICAgICAgICAgICAgICA8bGkgY2xhc3M9ImFwYXJ0bWVudHMiPjxhIGhyZWY9Imh0dHA6Ly93d3cuZG9scGhpbnNxdWFyZS5jby51ay9ob3VzZS9hcGFydG1lbnRzLyINCiAgICAgICAgICAgICAgICAgICAgICAgIHRpdGxlPSJUaGUgYXBhcnRtZW50cyI+QXBhcnRtZW50czwvYT4gPC9saT4NCiAgICAgICAgICAgICAgICAgICAgPGxpIGNsYXNzPSJib29rIj48YSBocmVmPSJodHRwczovL3Jlc2VydmF0aW9ucy5zeW54aXMuY29tL0xCRS9yZXouYXNweD9Ib3RlbD0xODQ4MyZDaGFpbj03MzcxJmxvY2FsZT1lbi1HQiINCiAgICAgICAgICAgICAgICAgICAgICAgIHRpdGxlPSJCb29rIG9ubGluZSI+Qm9vayBvbmxpbmU8L2E+PC9saT4NCiAgICAgICAgICAgICAgICAgICAgPGxpIGNsYXNzPSJjb250YWN0Ij48YSBocmVmPSJodHRwOi8vd3d3LmRvbHBoaW5zcXVhcmUuY28udWsvaG91c2UvY29udGFjdHVzLnBocCINCiAgICAgICAgICAgICAgICAgICAgICAgIHRpdGxlPSJDb250YWN0IHVzIj5Db250YWN0IHVzPC9hPjwvbGk+DQogICAgICAgICAgICAgICAgPC91bD4NCiAgICAgICAgICAgIDwvZGl2Pg0KICAgICAgICA8L2Rpdj4NCiA8ZGl2IGlkPSJtYWluIj4NCiAgPHA+DQogIGQCAQ9kFgICAQ8PFgIeB0xCRURhdGEy1jgAAQAAAP8BAAwCQUJFQnVzaW5lc3MsIFZlcnNpb249MC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1udWxsDAMAAABDQnVzaW5lc3MsIFZlcnNpb249NC42LjAuMzI4NTIsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49bnVsbAUBLFN5bnhpcy5BcHBsaWNhdGlvbi5CRS5CRUJ1c2luZXNzLkxCRS5MQkVEYXRhhA5faXNJbml0aWFsaXplZA1faG90ZWxDaGFuZ2VkFF9jdXN0b21lckluZm9DaGFuZ2VkDF9sb2dpbkZhaWxlZAtfbG9naW5FbWFpbA5faG90ZWxBdHRyRGF0YQhfaG90ZWxJRAhfY2hhaW5JRAlfaEFsaWFzSUQJX2NBbGlhc0lECV9hbHRTaGVsbAxfb3JpZ0hvdGVsSUQOX29yaWdIb3RlbE5hbWUOX2hvdGVsSXNBY3RpdmUJX2Rlc3RDb2RlCV9yZXpMZXZlbA9fcGF0aFRha2VuTGV2ZWwKX3N0ZXBGaWxlcxBfYnJlYWRDcnVtYnNGaWxlD19jb25maWdGaWxlUGF0aAdfbGFuZ0lEB19sb2NhbGUKX2hvdGVsR3VpZApfY2hhaW5HdWlkCV9kZXN0R3VpZAhfcmV6R3VpZApfaG90ZWxOYW1lCl9ob3RlbENvZGUKX2NoYWluTmFtZQlfZGVzdE5hbWUMX3JlelN0YXR1c0lECl9jb25maXJtTm8JX2NhbmNlbE5vEl9jYWxlbmRhclN0YXJ0RGF0ZQxfYXJyaXZhbERhdGUOX2RlcGFydHVyZURhdGUJX25pZ2h0UXR5CV9hZHVsdFF0eQlfY2hpbGRRdHkKX2p1bmlvclF0eQpfaW5mYW50UXR5Cl9zZW5pb3JRdHkIX3Jvb21RdHkRX3BhY2thZ2VEYXRhQXJyYXkSX3BhY2thZ2VUb3RhbFByaWNlCl9wcm9tb0NvZGULX2lhdGFOdW1iZXIQX3ZhbGlkSWF0YU51bWJlcghfYWdlbnRJRA9fdmFsaWRBZ2VudEd1aWQKX2dyb3VwQ29kZQ5fc3ViU291cmNlQ29kZQ1fYWxsb3dlZFJhdGVzDV9hbGxvd2VkUm9vbXMNX2F2ZXJhZ2VQcmljZRBfZmlyc3ROaWdodFByaWNlC190b3RhbFByaWNlEl90b3RhbFByaWNlV2l0aFRheA1fZGF0ZVJhdGVMaXN0DV9kYWlseVRheExpc3QOX2RhaWx5TWVhbExpc3QJX3JhdGVDb2RlCV9yYXRlR3VpZAlfcmF0ZU5hbWURX2lzU3VwcHJlc3NlZFJhdGUJX3Jvb21Db2RlCV9yb29tR3VpZAlfcm9vbU5hbWUOX3Jvb21Hcm91cENvZGUOX3Jvb21Hcm91cEd1aWQKX2ZpbHRlckJBUhVfaGFzQXZhaWxhYmxlUGFja2FnZXMSX2Jvb2tpbmdQb2xpY3lHdWlkEV9jYW5jZWxQb2xpY3lHdWlkD19jdXJyZW5jeVJhdGVJRA9fY3VycmVuY3lQcmVmaXgUX2hvdGVsQ3VycmVuY3lQcmVmaXgNX2N1cnJlbmN5Q29kZQlfY3VzdEd1aWQNX2N1c3RMb2NhdGlvbgpfZXh0Q3VzdENEBl90aXRsZQlfZnVsbE5hbWUKX2ZpcnN0TmFtZQ5fbWlkZGxlSW5pdGlhbAlfbGFzdE5hbWUNX2J1c2lu

Re: [PHP] CURL de-bugging: So why am I not getting the results page on the target site?

[Chris]

Chris wrote:
> ioannes wrote:
>> I didn't get any brave response on this, but given the other thread on
>> 'encription' I was wondering could anyone decrypt the __VIEWSTATE string
>> at the end of this message.  It is part of the input page whose results
>> page I am trying to retrieve back onto my server for further php work. 
>> I replicated the source from that input page onto a page on my server,
>> and when I click the submit button it correctly goes to the target
>> results page, on the other site though, however it did not work without
>> the whole of the string below.  The experiment proved though that
>> without the __VIEWSTATE the results page will not return.  So I am just
>> wondering, as I have not been able to repeat this using curl, what the
>>  is included in that string. There's a challenge for anyone with
>> whatever resources it takes.
> 
> echo base64_decode($view_state_string);

or maybe

print_r(base64_decode($view_state_string));

I don't know if it will return a string or an array or something else.

-- 
Postgresql & php tutorials
http://www.designmagick.com/

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] CURL de-bugging: So why am I not getting the results page on the target site?

[Chris]

ioannes wrote:
> I didn't get any brave response on this, but given the other thread on
> 'encription' I was wondering could anyone decrypt the __VIEWSTATE string
> at the end of this message.  It is part of the input page whose results
> page I am trying to retrieve back onto my server for further php work. 
> I replicated the source from that input page onto a page on my server,
> and when I click the submit button it correctly goes to the target
> results page, on the other site though, however it did not work without
> the whole of the string below.  The experiment proved though that
> without the __VIEWSTATE the results page will not return.  So I am just
> wondering, as I have not been able to repeat this using curl, what the
>  is included in that string. There's a challenge for anyone with
> whatever resources it takes.

echo base64_decode($view_state_string);

viewstate in asp.net is like sessions in php (I believe, I could be
completely wrong :P).

-- 
Postgresql & php tutorials
http://www.designmagick.com/

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] CURL de-bugging: So why am I not getting the results page on the target site?

[ioannes]

I didn't get any brave response on this, but given the other thread on 
'encription' I was wondering could anyone decrypt the __VIEWSTATE string 
at the end of this message.  It is part of the input page whose results 
page I am trying to retrieve back onto my server for further php work.  
I replicated the source from that input page onto a page on my server, 
and when I click the submit button it correctly goes to the target 
results page, on the other site though, however it did not work without 
the whole of the string below.  The experiment proved though that 
without the __VIEWSTATE the results page will not return.  So I am just 
wondering, as I have not been able to repeat this using curl, what the 
 is included in that string. There's a challenge for anyone with 
whatever resources it takes.


John


ioannes wrote:

For those that like CURL and calendars.
...

VIEWSTATE

curl_setopt($ch, 
CURLOPT_POSTFIELDS,"__VIEWSTATE=/wEPDwUKMTMyMjM3NTUzNw9kFgZmDxYCHgRUZXh0BYcMPHRhYmxlIGFsaWduPSJjZW50ZXIiIGNlbGxwYWRkaW5nPSIwIiBjZWxsc3BhY2luZz0iMCIgYm9yZGVyPSIwIj48dHI+PHRkPg0KPHVsIGlkPSJza2lwIj4NCiA8bGk+PGEgaHJlZj0iI21haW4iPlNraXAgdG8gbWFpbiBjb250ZW50PC9hPjwvbGk+DQo8L3VsPg0KPGRpdiBpZD0id3JhcHBlciIgY2xhc3M9ImNsZWFyIj4NCiA8ZGl2IGlkPSJoZWFkZXIiPg0KICAgICAgICAgICAgPGgxPg0KICAgICAgICAgICAgICAgIDxhIGhyZWY9Imh0dHA6Ly93d3cuZG9scGhpbnNxdWFyZS5jby51ay9ob3VzZS8iIHRpdGxlPSJEb2xwaGluIEhvdXNlIGhvbWUgcGFnZSI+RG9scGhpbg0KICAgICAgICAgICAgICAgICAgICBIb3VzZTwvYT48L2gxPg0KICAgICAgICAgICAgPGRpdiBpZD0ibmF2aWdhdGlvbiI+DQogICAgICAgICAgICAgICAgPHVsIGlkPSJuYXZfbWFpbiI+DQogICAgICAgICAgICAgICAgICAgIDxsaSBjbGFzcz0iYWJvdXQiPjxhIGhyZWY9Imh0dHA6Ly93d3cuZG9scGhpbnNxdWFyZS5jby51ay9ob3VzZS9hYm91dC8iIHRpdGxlPSJBYm91dCBEb2xwaGluIEhvdXNlIj4NCiAgICAgICAgICAgICAgICAgICAgICAgIEFib3V0IHVzPC9hPiA8L2xpPg0KICAgICAgICAgICAgICAgICAgICA8bGkgY2xhc3M9ImFyZWEiPjxhIGhyZWY9Imh0dHA6Ly93d3cuZG9scGhpbnNxdWFyZS5jby51ay9ob3VzZS90aGVhcmVhLyIgdGl0bGU9IlRoZSBhcmVhIj4NCiAgICAgICAgICAgICAgICAgICAgICAgIFRoZSBhcmVhPC9hPiA8L2xpPg0KICAgICAgICAgICAgICAgICAgICA8bGkgY2xhc3M9ImZhY2lsaXRpZXMiPjxhIGhyZWY9Imh0dHA6Ly93d3cuZG9scGhpbnNxdWFyZS5jby51ay9ob3VzZS9mYWNpbGl0aWVzLyINCiAgICAgICAgICAgICAgICAgICAgICAgIHRpdGxlPSJGYWNpbGl0aWVzIj5GYWNpbGl0aWVzPC9hPiA8L2xpPg0KICAgICAgICAgICAgICAgICAgICA8bGkgY2xhc3M9ImFwYXJ0bWVudHMiPjxhIGhyZWY9Imh0dHA6Ly93d3cuZG9scGhpbnNxdWFyZS5jby51ay9ob3VzZS9hcGFydG1lbnRzLyINCiAgICAgICAgICAgICAgICAgICAgICAgIHRpdGxlPSJUaGUgYXBhcnRtZW50cyI+QXBhcnRtZW50czwvYT4gPC9saT4NCiAgICAgICAgICAgICAgICAgICAgPGxpIGNsYXNzPSJib29rIj48YSBocmVmPSJodHRwczovL3Jlc2VydmF0aW9ucy5zeW54aXMuY29tL0xCRS9yZXouYXNweD9Ib3RlbD0xODQ4MyZDaGFpbj03MzcxJmxvY2FsZT1lbi1HQiINCiAgICAgICAgICAgICAgICAgICAgICAgIHRpdGxlPSJCb29rIG9ubGluZSI+Qm9vayBvbmxpbmU8L2E+PC9saT4NCiAgICAgICAgICAgICAgICAgICAgPGxpIGNsYXNzPSJjb250YWN0Ij48YSBocmVmPSJodHRwOi8vd3d3LmRvbHBoaW5zcXVhcmUuY28udWsvaG91c2UvY29udGFjdHVzLnBocCINCiAgICAgICAgICAgICAgICAgICAgICAgIHRpdGxlPSJDb250YWN0IHVzIj5Db250YWN0IHVzPC9hPjwvbGk+DQogICAgICAgICAgICAgICAgPC91bD4NCiAgICAgICAgICAgIDwvZGl2Pg0KICAgICAgICA8L2Rpdj4NCiA8ZGl2IGlkPSJtYWluIj4NCiAgPHA+DQogIGQCAQ9kFgICAQ8PFgIeB0xCRURhdGEy1jgAAQAAAP8BAAwCQUJFQnVzaW5lc3MsIFZlcnNpb249MC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1udWxsDAMAAABDQnVzaW5lc3MsIFZlcnNpb249NC42LjAuMzI4NTIsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49bnVsbAUBLFN5bnhpcy5BcHBsaWNhdGlvbi5CRS5CRUJ1c2luZXNzLkxCRS5MQkVEYXRhhA5faXNJbml0aWFsaXplZA1faG90ZWxDaGFuZ2VkFF9jdXN0b21lckluZm9DaGFuZ2VkDF9sb2dpbkZhaWxlZAtfbG9naW5FbWFpbA5faG90ZWxBdHRyRGF0YQhfaG90ZWxJRAhfY2hhaW5JRAlfaEFsaWFzSUQJX2NBbGlhc0lECV9hbHRTaGVsbAxfb3JpZ0hvdGVsSUQOX29yaWdIb3RlbE5hbWUOX2hvdGVsSXNBY3RpdmUJX2Rlc3RDb2RlCV9yZXpMZXZlbA9fcGF0aFRha2VuTGV2ZWwKX3N0ZXBGaWxlcxBfYnJlYWRDcnVtYnNGaWxlD19jb25maWdGaWxlUGF0aAdfbGFuZ0lEB19sb2NhbGUKX2hvdGVsR3VpZApfY2hhaW5HdWlkCV9kZXN0R3VpZAhfcmV6R3VpZApfaG90ZWxOYW1lCl9ob3RlbENvZGUKX2NoYWluTmFtZQlfZGVzdE5hbWUMX3JlelN0YXR1c0lECl9jb25maXJtTm8JX2NhbmNlbE5vEl9jYWxlbmRhclN0YXJ0RGF0ZQxfYXJyaXZhbERhdGUOX2RlcGFydHVyZURhdGUJX25pZ2h0UXR5CV9hZHVsdFF0eQlfY2hpbGRRdHkKX2p1bmlvclF0eQpfaW5mYW50UXR5Cl9zZW5pb3JRdHkIX3Jvb21RdHkRX3BhY2thZ2VEYXRhQXJyYXkSX3BhY2thZ2VUb3RhbFByaWNlCl9wcm9tb0NvZGULX2lhdGFOdW1iZXIQX3ZhbGlkSWF0YU51bWJlcghfYWdlbnRJRA9fdmFsaWRBZ2VudEd1aWQKX2dyb3VwQ29kZQ5fc3ViU291cmNlQ29kZQ1fYWxsb3dlZFJhdGVzDV9hbGxvd2VkUm9vbXMNX2F2ZXJhZ2VQcmljZRBfZmlyc3ROaWdodFByaWNlC190b3RhbFByaWNlEl90b3RhbFByaWNlV2l0aFRheA1fZGF0ZVJhdGVMaXN0DV9kYWlseVRheExpc3QOX2RhaWx5TWVhbExpc3QJX3JhdGVDb2RlCV9yYXRlR3VpZAlfcmF0ZU5hbWURX2lzU3VwcHJlc3NlZFJhdGUJX3Jvb21Db2RlCV9yb29tR3VpZAlfcm9vbU5hbWUOX3Jvb21Hcm91cENvZGUOX3Jvb21Hcm91cEd1aWQKX2ZpbHRlckJBUhVfaGFzQXZhaWxhYmxlUGFja2FnZXMSX2Jvb2tpbmdQb2xpY3lHdWlkEV9jYW5jZWxQb2xpY3lHdWlkD19jdXJyZW5jeVJhdGVJRA9fY3VycmVuY3lQcmVmaXgUX2hvdGVsQ3VycmVuY3lQcmVmaXgNX2N1cnJlbmN5Q29kZQlfY3VzdEd1aWQNX2N1c3RMb2NhdGlvbgpfZXh0Q3VzdENEBl90aXRsZQlfZnVsbE5hbWUKX2ZpcnN0TmFtZQ5fbWlkZGxlSW5pdGlhbAlfbGFzdE5hbWUNX2J1c2luZXNzTmFtZQ1fYnVzaW5lc3NVbml0CV9hZGRyZXNzMQlfYWRkcmVzczIJX2FkZHJlc3MzBV9jaXR5CF96aXBDb2RlB19waG9uZTEEX2Zh

[PHP] CURL de-bugging: So why am I not getting the results page on the target site?

[ioannes]

For those that like CURL and calendars.

Using CURL, I am accessing a form on a 'target' third party site (it is 
built around JavaScript DHTML DatePicker) and trying to POST various 
date and other inputs from its form and return the results page to my 
site for further processing with php.  However, I can only get the 
inputs page returned.  The third party site works fine when submitted 
from a browser.


I have tried testing various ways.

I put the source code of the target inputs page on my site.  I then 
changed the form to method=get and checked that my CURL expressions 
curl_setopt($curl_session, CURLOPT_POSTFIELDS,"variable_name") were all 
in the right order and had the correct HTML substitutions for colons and 
spaces etc.  Testing whether eg the submit variable has been posted, I 
get a good result.  Here is the bit of testing code on the test page:


  
if(ISSET($_POST["SubmitButton"])&&$_POST{"SubmitButton"}=="SubmitButton 
Value") {

   print("submitted - test.php page line 32"); // I can get this
   } else {
   print("not submitted - test.php page line 35 ");
   }

I have 17 variables being submitted.  I do notice that I only get the 
above result if the curl_setopt($curl_session, 
CURLOPT_POSTFIELDS,"submit_variable_name") is written in the calling 
page as the last in these expressions, whereas in the list of GET 
variables it comes 14th.  This worries me, it does not seem to be a 
problem with other variables, perhaps because the submit variable has a 
value with a space in it (becomes +).


curl_setopt($curl_sess, 
CURLOPT_POSTFIELDS,"Control%3ACheck_0%3AButton=Submit+This");


Thank you for staying with me so far.  I read that variables need to be 
in the right order for some reason.


I suspected that the page was trying to avoid spoofing by using 
sessions, but when I deleted all cookies on my computer and submit from 
the input page using a browser, I still got back a results page but not 
from the script.  So lack of sessions data was not what stops the page 
responding.


The input form page actually is coded as an aspx page.  It uses various 
javascripts and hidden fields like _EVENTTARGET, __EVENTARGUMENT, 
__LASTFOCUS, __VIEWSTATE (below).  The last is an encrypted version of 
the page to enable the Back button to work.  I suppose this could 
include something like a timestamp that stops CURL requests.


If interested, I can send you the actual URLs.

Any ideas on how to grab this result page?

John

PS

VIEWSTATE

curl_setopt($ch, 
CURLOPT_POSTFIELDS,"__VIEWSTATE=/wEPDwUKMTMyMjM3NTUzNw9kFgZmDxYCHgRUZXh0BYcMPHRhYmxlIGFsaWduPSJjZW50ZXIiIGNlbGxwYWRkaW5nPSIwIiBjZWxsc3BhY2luZz0iMCIgYm9yZGVyPSIwIj48dHI+PHRkPg0KPHVsIGlkPSJza2lwIj4NCiA8bGk+PGEgaHJlZj0iI21haW4iPlNraXAgdG8gbWFpbiBjb250ZW50PC9hPjwvbGk+DQo8L3VsPg0KPGRpdiBpZD0id3JhcHBlciIgY2xhc3M9ImNsZWFyIj4NCiA8ZGl2IGlkPSJoZWFkZXIiPg0KICAgICAgICAgICAgPGgxPg0KICAgICAgICAgICAgICAgIDxhIGhyZWY9Imh0dHA6Ly93d3cuZG9scGhpbnNxdWFyZS5jby51ay9ob3VzZS8iIHRpdGxlPSJEb2xwaGluIEhvdXNlIGhvbWUgcGFnZSI+RG9scGhpbg0KICAgICAgICAgICAgICAgICAgICBIb3VzZTwvYT48L2gxPg0KICAgICAgICAgICAgPGRpdiBpZD0ibmF2aWdhdGlvbiI+DQogICAgICAgICAgICAgICAgPHVsIGlkPSJuYXZfbWFpbiI+DQogICAgICAgICAgICAgICAgICAgIDxsaSBjbGFzcz0iYWJvdXQiPjxhIGhyZWY9Imh0dHA6Ly93d3cuZG9scGhpbnNxdWFyZS5jby51ay9ob3VzZS9hYm91dC8iIHRpdGxlPSJBYm91dCBEb2xwaGluIEhvdXNlIj4NCiAgICAgICAgICAgICAgICAgICAgICAgIEFib3V0IHVzPC9hPiA8L2xpPg0KICAgICAgICAgICAgICAgICAgICA8bGkgY2xhc3M9ImFyZWEiPjxhIGhyZWY9Imh0dHA6Ly93d3cuZG9scGhpbnNxdWFyZS5jby51ay9ob3VzZS90aGVhcmVhLyIgdGl0bGU9IlRoZSBhcmVhIj4NCiAgICAgICAgICAgICAgICAgICAgICAgIFRoZSBhcmVhPC9hPiA8L2xpPg0KICAgICAgICAgICAgICAgICAgICA8bGkgY2xhc3M9ImZhY2lsaXRpZXMiPjxhIGhyZWY9Imh0dHA6Ly93d3cuZG9scGhpbnNxdWFyZS5jby51ay9ob3VzZS9mYWNpbGl0aWVzLyINCiAgICAgICAgICAgICAgICAgICAgICAgIHRpdGxlPSJGYWNpbGl0aWVzIj5GYWNpbGl0aWVzPC9hPiA8L2xpPg0KICAgICAgICAgICAgICAgICAgICA8bGkgY2xhc3M9ImFwYXJ0bWVudHMiPjxhIGhyZWY9Imh0dHA6Ly93d3cuZG9scGhpbnNxdWFyZS5jby51ay9ob3VzZS9hcGFydG1lbnRzLyINCiAgICAgICAgICAgICAgICAgICAgICAgIHRpdGxlPSJUaGUgYXBhcnRtZW50cyI+QXBhcnRtZW50czwvYT4gPC9saT4NCiAgICAgICAgICAgICAgICAgICAgPGxpIGNsYXNzPSJib29rIj48YSBocmVmPSJodHRwczovL3Jlc2VydmF0aW9ucy5zeW54aXMuY29tL0xCRS9yZXouYXNweD9Ib3RlbD0xODQ4MyZDaGFpbj03MzcxJmxvY2FsZT1lbi1HQiINCiAgICAgICAgICAgICAgICAgICAgICAgIHRpdGxlPSJCb29rIG9ubGluZSI+Qm9vayBvbmxpbmU8L2E+PC9saT4NCiAgICAgICAgICAgICAgICAgICAgPGxpIGNsYXNzPSJjb250YWN0Ij48YSBocmVmPSJodHRwOi8vd3d3LmRvbHBoaW5zcXVhcmUuY28udWsvaG91c2UvY29udGFjdHVzLnBocCINCiAgICAgICAgICAgICAgICAgICAgICAgIHRpdGxlPSJDb250YWN0IHVzIj5Db250YWN0IHVzPC9hPjwvbGk+DQogICAgICAgICAgICAgICAgPC91bD4NCiAgICAgICAgICAgIDwvZGl2Pg0KICAgICAgICA8L2Rpdj4NCiA8ZGl2IGlkPSJtYWluIj4NCiAgPHA+DQogIGQCAQ9kFgICAQ8PFgIeB0xCRURhdGEy1jgAAQAAAP8BAAwCQUJFQnVzaW5lc3MsIFZlcnNpb249MC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1udWxsDAMAAABDQnVzaW5lc3MsIFZlcnNpb249NC42LjAuMzI4NTIsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49bnVsbAUBLFN5bnhpcy5BcHBsaWNhdGlvbi5CRS5CRUJ1c2luZXNzLkxCRS5MQkVEYXRhhA5faXNJbml0aWFsaXplZA1faG90ZWx