1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Login via CURL

Discussion in 'XenForo Development Discussions' started by Aayush, Mar 9, 2014.

  1. Aayush

    Aayush Well-Known Member

    Is it possible to login to Xenforo forum via curl in a PHP script. I am not sure how the login process works, but there is no xfToken present on the login page so people can login easily.

    Suppose I wanted to build a spam script(not really ;) )

    How would I login and keep the session so that I can create and post a thread.

    Any Ideas?

    PS: I don't want to use some sort of API for an addon as I don't have access to the forum admin page.
     
  2. Aayush

    Aayush Well-Known Member

    Ohk figured out, how to login via CURL but still can't figure out how to fake an ajax request and create a new thread in a particular forum.

    If anyone want's to know how I did it, you can read the following code.

    Code:
    $username = "aayush";
    $password = "random";
    $url = "http://localhost/xf/index.php?login/login";
    
    $curl_handle = curl_init ($url);
    curl_setopt($ch, CURLOPT_COOKIESESSION, true);
    curl_setopt ($curl_handle, CURLOPT_COOKIEJAR, 'cookie.txt');
    curl_setopt ($curl_handle, CURLOPT_COOKIEFILE, 'cookie.txt');
    
    curl_setopt ($curl_handle, CURLOPT_RETURNTRANSFER, true);
    curl_setopt($ch, CURLOPT_HEADER, 1);
    curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:11.0) Gecko/20100101 Firefox/11.0");
    curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
    $post_array = array('login' => $username, 'password' => $password, 'cookie_check' => 1, 'redirect' => 'http://localhost/xf/index.php', 'register' => 0, 'remember' => 1);
    curl_setopt($curl_handle, CURLOPT_POSTFIELDS, http_build_query($post_array));
    $output = curl_exec ($curl_handle);
    
    //Now logged in
    
    $curl_handle = curl_init ('http://localhost/xf/index.php);
    
    curl_setopt($ch, CURLOPT_COOKIESESSION, true);
    curl_setopt ($curl_handle, CURLOPT_COOKIEJAR, 'cookie.txt');
    curl_setopt ($curl_handle, CURLOPT_COOKIEFILE, 'cookie.txt');
    curl_setopt ($curl_handle, CURLOPT_RETURNTRANSFER, true);
    $output = curl_exec ($curl_handle);
    echo $output;
    
    Once you echo the output you'll see a page with you logged in..


    If anyone knows how to fake an ajax request via post and curl, that would be really helpful.
     
  3. Chris D

    Chris D XenForo Developer Staff Member

    Why do you need to fake an AJAX request?

    Similar to your code above, you just need to submit the new thread data using POST to the correct URL, e.g. index.php?forums/main-forum.2/add-thread

    AJAX has no relevance here because AJAX is primarily a method to asynchronously load data into the DOM on the client side.
     
  4. Aayush

    Aayush Well-Known Member


    Checked that thing out but if you notice on the _xfToken on the create thread page which would be required to be submitting to the add thread page.

    PS: I just stumbled upon PhantomJS, maybe I could use it. Not sure though...
     
  5. Daniel Hood

    Daniel Hood Well-Known Member

    What Chris is saying is that you can submit the same parameters through your curl. You don't have fake Ajax just pass the token the same way as the user and password.
     
    Chris D likes this.
  6. Aayush

    Aayush Well-Known Member

    I'll give it a go without token once, but I can't really grab the token, it is appended via JS, once I grab the dom via CURL, there is no xfToken located in it.
     
  7. Aayush

    Aayush Well-Known Member

    So i've got this to work YAY :D

    Actually, I am exploiting the fact that XF always sends a token attached so that user can logout, so I am using that token for adding a thread.

    If I directly sent a post request, XF raises a security issue and asks be to go back and refresh.
     
  8. xfrocks

    xfrocks Well-Known Member

    If you are in control of the target site, using [bd] API may be a better idea.
     
  9. Aayush

    Aayush Well-Known Member

    Thanks for suggestion but as I mentioned in the OP that I don't have access to the admin panel of forum.
    If I had, That addon was on top of my list.


    PS: Please close this thread, this has been solved.
     
    xfrocks likes this.
  10. KenBrace

    KenBrace Active Member

    I'm creating a similar web app that saves threads.

    Everything works but I need the bot to be able to access member-only threads.

    I used the above script and tried to access a member-only thread on my forum but it simply displays the login page and tells me that I need to be logged in to perform that action.

    Also it should be noted that I fixed the obvious problem with the above code ($ch variables where there should be $curl_handle). Still no luck.

    This is the code I'm using...

    Code:
    $username = "(username)";
    $password = "(password)";
    $url = "http://mysite.com/index.php?login/login";
    
    $curl_handle = curl_init();
    curl_setopt($curl_handle, CURLOPT_URL, $url);
    curl_setopt($curl_handle, CURLOPT_COOKIESESSION, true);
    curl_setopt ($curl_handle, CURLOPT_COOKIEJAR, 'cookie.txt');
    curl_setopt ($curl_handle, CURLOPT_COOKIEFILE, 'cookie.txt');
    
    curl_setopt ($curl_handle, CURLOPT_RETURNTRANSFER, true);
    curl_setopt($curl_handle, CURLOPT_HEADER, 1);
    curl_setopt($curl_handle, CURLOPT_USERAGENT, "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:11.0) Gecko/20100101 Firefox/11.0");
    curl_setopt($curl_handle, CURLOPT_FOLLOWLOCATION, 1);
    $post_array = array('login' => $username, 'password' => $password, 'cookie_check' => 1, 'redirect' => 'http://mysite.com/index.php', 'register' => 0, 'remember' => 1);
    curl_setopt($curl_handle, CURLOPT_POSTFIELDS, http_build_query($post_array));
    $output = curl_exec($curl_handle);
    
    if(!$output){
        echo "error";
    } else {
        echo "done";
    }
    
    curl_close($curl_handle);
    
    //Now logged in
    
    $ch = curl_init();
    curl_setopt($ch, CURLOPT_URL, "http://mysite.com/threads/some-random-thread.947");
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
    
    curl_setopt($ch, CURLOPT_COOKIEJAR, '/cookies.txt');
    curl_setopt($ch, CURLOPT_COOKIEFILE, '/cookies.txt');
    
    echo $output = curl_exec($ch);
    $info = curl_getinfo($ch);
    curl_close($ch);
     

Share This Page