Authentication using WinHttpRequest

[Pulover]

I have just a basic knowledge about GET and POST methods and I'm trying to understand how to use them. I've read a lot of posts on the old forum and other sites about it but still can't seem to succeed on a simple login using WinHttpRequest.

This is the code I've adapted from an example I've found. I'm trying to login on the forum but the ResponseText seems to be the same login page. I've got the headers from Fiddler.

Can someone tell me if I'm doing it wrong, please? I wonder if I need the session ID (sid), but I don't know how to get it.

Code: Select all

#NoEnv
#SingleInstance, Force

InputBox, pass, Password, Enter password.
URL := "http://auto-hotkey.com/boards/ucp.php?mode=login"
PostData := "username=Pulover&password=" pass

oHTTP := ComObjCreate("WinHttp.WinHttpRequest.5.1")
;Post request
oHTTP.Open("POST", URL , False)
;Add User-Agent header
oHTTP.SetRequestHeader("User-Agent", "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)")
;Add Referer header
oHTTP.SetRequestHeader("Referer", URL)
;Add Content-Type
oHTTP.SetRequestHeader("Content-Type", "application/x-www-form-urlencoded")
;Send POST request
oHTTP.Send(PostData)
;Get received data
Gui, Add, Edit, w800 r30, % oHTTP.ResponseText
Gui, Show
return

GuiClose:
ExitApp

[Pulover]

I got it working!
The post data requires a login=Login. I'll see if I can do the same in website I want to access now.

Code: Select all

#NoEnv
#SingleInstance, Force

InputBox, pass, Password, Enter password.
URL := "http://auto-hotkey.com/boards/ucp.php?mode=login"
PostData := "username=Pulover&password=" pass "&login=Login"

oHTTP := ComObjCreate("WinHttp.WinHttpRequest.5.1")
;Post request
oHTTP.Open("POST", URL , False)
;Add User-Agent header
oHTTP.SetRequestHeader("User-Agent", "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)")
;Add Referer header
oHTTP.SetRequestHeader("Referer", URL)
;Add Content-Type
oHTTP.SetRequestHeader("Content-Type", "application/x-www-form-urlencoded")
;Send POST request
oHTTP.Send(PostData)
;Get received data
Gui, Add, Edit, w800 r30, % oHTTP.ResponseText
Gui, Show
return

GuiClose:
ExitApp

[tank]

looks like your missing a few params

Code: Select all

"username=Pulover&password=" pass [color=#FF0000]"&redirect=./ucp.php?mode=login&redirect=index.php&login=Login"[/color]

Nothing else jumps out at me

[tank]

ha ha you figured it out before my post

[Pulover]

ha ha you figured it out before my post

Yeah, I thought it should be simple! Thanks anyway, tank!

So how does it work once I'm logged in? I need to send commands to retrieve information and do actions that Fiddler identifies as method=. Should I use Send for those or must I somehow navigate to the page that contains the button? And how do I know if it worked?

[tank]

you always use send
if the method is post then you send the data just as you did for the login. and you may yet need to capture and use the sid since there is no browser object

[Pulover]

you always use send
if the method is post then you send the data just as you did for the login. and you may yet need to capture and use the sid since there is no browser object

Thanks, tank! It worked for the forum. I was able to get the sid and navigate to the control panel. I've placed the code at the end of this post if anyone's interested (I'm missing the spoiler tags here ).

However it seems that I cannot login to the website I really want to, the response is always the login page.
The following is the Post captured by Fiddler when I login (sorry I had to omit the site address because this is not for me so...) and below is my latest attempt. Is there a problem because the site is HTTPS?

Code: Select all

POST https://secure.xxx.com/secure_login.html HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Referer: https://secure.xxx.com/secure_login.html
Accept-Language: pt-BR
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Host: secure.xxx.com
Content-Length: 133
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: S=eho838c56c7eednra0lum2fmo3; B=b=939124E86791B563; __utma=50703532.935389667.1380635149.1380733872.1380740551.5; __utmz=50703532.1380635149.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); lithiumSSO%3A=~2oe1bduIWA5PsaJoU~N8WHENIFWKwufCJJW52aSPFrQ9qtzM6ZX0OAYm_AuzdC9uA0rn_Pd8CVWpRqhhR8EBQNQlawbSeepG6sZN1Umo9Lp_vRwDc34NuDiEtT8K02NzIMGDDapwG8Fd4ZLvPCZ8bCvlwnpNalvSllGbgLFgz7cIBWy6moAGlKO2d548zaFtshlo44lNGwOcJhgiXfpeboGipLfNOAJaDZcVgU6wvy8UtJVhMq-fKzyVo13xDIULFkq0tbG25n0bWhGMSOxf_miRI1VS0BiOrGCJkvYBAXbcV_2ANoO8pTTcwbx_4.; __utmb=50703532.0.10.1380740551; __utmc=50703532; remember=N

[email protected]&token=2fd7d1a7242bfcb48d443d5b6eccfcf8&password=pass&tprefs1=&tprefs2=2a2hWfc2qiMc.1ij0_p.5BgYi1

Code: Select all

#NoEnv
#SingleInstance, Force

URL := "https://secure.xxx.com/secure_login.html"
URL2 := "http://www.xxx.com/apps/prod.html?ll=nav"
ID := "5455891280"

oHTTP := ComObjCreate("WinHttp.WinHttpRequest.5.1")
oHTTP.Open("GET", URL , False)
oHTTP.SetRequestHeader("Referer", URL)
oHTTP.Send()

; The "Cookie" header that appears in Fiddler does not show up in GetAllResponseHeaders.

; Here I get the token from the headers.
RegExMatch(oHTTP.GetAllResponseHeaders(), "S=(\w+?);", Token)

; Trying to reproduce what I see in Fiddler.
PostData := "
(Join&
[email protected]
token=" Token1 "
password=pass
tprefs1=
tprefs2=2a2hWfc2qiMc.1ij0_p.5BgYi1
)"
oHTTP.Open("POST", URL , False)
oHTTP.SetRequestHeader("User-Agent", "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)")
oHTTP.SetRequestHeader("Content-Type", "application/x-www-form-urlencoded")
oHTTP.SetRequestHeader("Referer", URL)
oHTTP.Send(PostData)

; This would be to navigate to the prod page.
; oHTTP.Open("GET", URL2 "#/prod/" ID , False)
; oHTTP.SetRequestHeader("Referer", URL)
; oHTTP.Send("application_id=user&format=JSON&session_token=" Token1)

Gui, Add, Edit, w800 r1, % Token1
Gui, Add, Edit, w800 r15, % oHTTP.GetAllResponseHeaders()
Gui, Add, Edit, w800 r30, % oHTTP.ResponseText
Gui, Show
return

This works to get to the control panel on the forum.

Code: Select all

#NoEnv
#SingleInstance, Force

user := "Pulover"
InputBox, pass, Password, Enter password.

URL := "http://auto-hotkey.com/boards/ucp.php?mode=login"
URL2 := "http://auto-hotkey.com/boards/ucp.php"
PostData := "username=" user "&password=" pass "&login=Login"

oHTTP := ComObjCreate("WinHttp.WinHttpRequest.5.1")
oHTTP.Open("POST", URL , False)
oHTTP.SetRequestHeader("User-Agent", "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)")
oHTTP.SetRequestHeader("Referer", URL)
oHTTP.SetRequestHeader("Content-Type", "application/x-www-form-urlencoded")
oHTTP.Send(PostData)
RegExMatch(oHTTP.GetAllResponseHeaders(), "_sid=(\w+?);", id)
oHTTP.Open("GET", URL2 , False)
oHTTP.SetRequestHeader("Referer", URL)
oHTTP.Send("sid=id1")
Gui, Add, Edit, w800 r15, % oHTTP.GetAllResponseHeaders()
Gui, Add, Edit, w800 r30, % oHTTP.ResponseText
Gui, Show
return

GuiClose:
ExitApp

[Blackholyman]

I have run in to this problem before and i don't have a real solution

but until i found another way to do my calls i used a webbrowser to login and then get the cookie with webbrowser.document.cookie

here is an example of doing a post with a click-event specific to my web interface at work.

Code: Select all

WebReqPostClick(webbrowser, Element, NewValue)
{
global MXServer
	Body .= "hiddenframe=true"
	Body .= "&event=click"
	Body .= "&targetid=" Element.id
	RegExMatch(webbrowser.document.parentwindow.LOGOUTURL, "uisessionid=(\d+)", uisessionid)
	Body .= "&uisessionid=" uisessionid1
	;~ msgbox % Body
	ThisLength := StrLen(body)
	Response := []
	WebRequest := ComObjCreate("WinHttp.WinHttpRequest.5.1")
	try	WebRequest.Open("POST", MXServer "/maximo/ui/maximo.jsp", false)
	catch	error
	{
		ErrorLevel := "WebReqPostClick Error: " error.Message
		return	false
	}
		WebRequest.SetRequestHeader("Accept", "image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, */*")
		WebRequest.SetRequestHeader("Referer", MXServer . "/maximo/ui/maximo.jsp")
		WebRequest.SetRequestHeader("Accept-Language", "da")
		WebRequest.SetRequestHeader("Content-Type", "application/x-www-form-urlencoded")
		WebRequest.SetRequestHeader("UA-CPU", "x86")
		WebRequest.SetRequestHeader("Accept-Encoding", "gzip, deflate")
		WebRequest.SetRequestHeader("User-Agent", "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E)")
		Server := RegExReplace(MXServer, "http://")
		WebRequest.SetRequestHeader("Host", Server)
		WebRequest.SetRequestHeader("Pragma", "no-cache")
		WebRequest.SetRequestHeader("Connection", "Keep-Alive")
		WebRequest.SetRequestHeader("Content-Length", ThisLength)
		WebRequest.SetRequestHeader("Cookie", thisCookie := webbrowser.document.cookie)
	WebRequest.Send(Body)
	Response["Text"] := WebRequest.ResponseText
	Response["Headers"] := WebRequest.GetAllResponseHeaders
	WebRequest := ""
	return Response
}

its not as clean as some of the new functions i use but you still get an idea...

Hope it helps

[tmplinshi]

Pulover, I use the GET/POST very often, I wish to help you, I will consider write a tutorial, and please feel free to contact me via PM or gmail.

Some points to do the http request:

1. cookie
The most important thing. This is how the browser know you are loged in or not.

I suggest to clear the cookie before start recording in Fiddler. And when finished recording, check out which http request has cookie changes, generally those requests are needed. For example:

POST https://secure.xxx.com/secure_login.html HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Referer: https://secure.xxx.com/secure_login.html
Accept-Language: pt-BR
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Host: secure.xxx.com
Content-Length: 133
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: S=eho838c56c7eednra0lum2fmo3; B=b=939124E86791B563; __utma=50703532.935389667.1380635149.1380733872.1380740551.5; __utmz=50703532.1380635149.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); lithiumSSO%3A=~2oe1bduIWA5PsaJoU~N8WHENIFWKwufCJJW52aSPFrQ9qtzM6ZX0OAYm_AuzdC9uA0rn_Pd8CVWpRqhhR8EBQNQlawbSeepG6sZN1Umo9Lp_vRwDc34NuDiEtT8K02NzIMGDDapwG8Fd4ZLvPCZ8bCvlwnpNalvSllGbgLFgz7cIBWy6moAGlKO2d548zaFtshlo44lNGwOcJhgiXfpeboGipLfNOAJaDZcVgU6wvy8UtJVhMq-fKzyVo13xDIULFkq0tbG25n0bWhGMSOxf_miRI1VS0BiOrGCJkvYBAXbcV_2ANoO8pTTcwbx_4.; __utmb=50703532.0.10.1380740551; __utmc=50703532; remember=N

username=[email protected]&token=2fd7d1a7242bfcb48d443d5b6eccfcf8&password=pass&tprefs1=&tprefs2=2a2hWfc2qiMc.1ij0_p.5BgYi1

The cookie "S=eho838c56c7eednra0lum2fmo3; B=b=939124E86791B563;" is probably needed, so it's best to get this cookie before post. Usually this cookie will be set when opening the login page.
The cookie marked as yellow text, like "__utma=" is no use for us, I've searched this on google before, people said this is for google recording.

2. Referer and other headers
Referer is also suggest to send in the http request. Sometimes the request will fail when there's no referer.
User-Agent suggest to use too.
Other headers is not very important, but when the request is failed, try to adding more header will help.

---------------------------------------------------------
btw: I use HttpWatch and HTTP Analyzer V7 for recording http request. HTTP Analyzer V7 can record all process or a specific process. And I use HTTPRequest.ahk to do the GET/POST.

=============================================================
HTTPRequest.ahk Example for this forum login:

Code: Select all

#Include <HTTPRequest>
#NoEnv
#SingleInstance Force
SetWorkingDir %A_ScriptDir%
SetBatchLines -1
ListLines Off

; Set HTTPRequest Options
	Options := "+Flag: INTERNET_FLAG_NO_COOKIES"		; Not use the IE browser's cookie
	Options .= A_IsUnicode ? "`nCharset: UTF-8" : ""

Tooltip, Get cookie and sid...
	cookie := ""

	url := "http://www.auto-hotkey.com/boards/ucp.php?mode=login"
	HTTPRequest(url, InOutData := "", InOutHeader := Headers(), Options)

	cookie := CookiesFromHeader(InOutHeader)
	; sid    := RegExReplace(InOutHeader, "^.*phpbb3_ghjir_sid=([^;]+).*$", "$1")
	sid    := StrX(InOutHeader,  "phpbb3_ghjir_sid=","",17,  ";",1,1,  "")

Tooltip, Login...
	url := "http://www.auto-hotkey.com/boards/ucp.php?mode=login&sid=" sid
	referer := "http://www.auto-hotkey.com/boards/ucp.php?mode=login"
	data =
	(LTrim Join&
		username=USERNAME_HERE
		password=PASSWORD_HERE
		autologin=on
		redirect=./ucp.php?mode=login&sid=%sid%
		sid=%sid%
		redirect=index.php
		login=Login
	)
	HTTPRequest(url, InOutData := data, InOutHeader := Headers(referer), Options)

	cookie .= CookiesFromHeader(InOutHeader)

	if InStr(InOutData, "> Logout [")
		MsgBox, Login Successful!
	else
		MsgBox, Login Fail.



; =========================== Functions ===========================
Headers(referer = "")
{
    global cookie

    Headers =
    ( LTRIM
        Referer: %referer%
        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
        Cookie: %cookie%
    )

    return Headers
}

CookiesFromHeader( headerData ) {
   while ( p := RegExMatch( headerData, "sim`a)^Set-Cookie:\s*(?P<Crumb>[^;]+);", Cookie, ( p ? p+StrLen(Cookie) : 1 ) ) )
      Cookies .= ( StrLen( Cookies ) ? " " : "" ) CookieCrumb ";"
   return Cookies " "
}

StrX( H,  BS="",BO=0,BT=1,   ES="",EO=0,ET=1,  ByRef N="" ) { ;    | by Skan | 19-Nov-2009
Return SubStr(H,P:=(((Z:=StrLen(ES))+(X:=StrLen(H))+StrLen(BS)-Z-X)?((T:=InStr(H,BS,0,((BO
 <0)?(1):(BO))))?(T+BT):(X+1)):(1)),(N:=P+((Z)?((T:=InStr(H,ES,0,((EO)?(P+1):(0))))?(T-P+Z
 +(0-ET)):(X+P)):(X)))-P) ; v1.0-196c 21-Nov-2009 www.autohotkey.com/forum/topic51354.html
}

[Pulover]

@Blackholyman: Thanks for your example! It helped me understand better the role of the Cookie. But I was really hoping to not use a browser in this case, so I made more tests based on your example and tmplinshi's explanation and I seem to be getting somewhere.

@tmplinshi: This is a good explanation. Thanks! Now I know that the cookie is the a concatenation of the Set-Cookie lines in the response headers of the GET request.
I set the cookie using SetRequestHeader and I'm not sent back to the Login or Home page anymore. The problem now is that I seem to be getting encrypted response data, all I see is a "[]".
I'll contact you through PM so I can give you the correct address and login info. Maybe we can figure this out.

If any of you guys have faced issues with encrypted/encoded data too (I think it is because Fiddler is able to decode it) I'd be glad to receive some advice.
Thank you all!

[tank]

i think it is very important to remember to remember that a cookie is a client side. Some sites validate the values against a DB but if its a hash value the site will usually accept any hash value you send. some experimentation is required of course.

an SID is a reference to a session file that stores data in variables relative to the session. the values are on the server side and shouldnt be able to be altered from the browser except for bad code writing. the SID is often stored in a cookie or passed in a querystring. but the session file must actually exist on the server and not be expired. this value typically is destroyed when the browser closes. so you may not insert your own value.

i Use Fiddler extensively in my career. I prefer it. i use add-ons like X5 to do some light vulnerability testing. but i also use it to reconstruct headers and request body to write http requests.

[Pulover]

That's valuable information, tank! It all makes more sense to me now. Thanks.

I'll experiment with other sites to learn more details. For this one I could not get this method to work but tmplinshi got me a working version with VxE's function that got me where I wanted. HTTPRequest() works very well and it's really fast so I'll stick with it for this project (Thank you too, VxE ).

[Vega]

Sorry about digging up such an old topic, but as I'm using the exact same method to use POST, this may be the best way to get a quick answer.
My question is:
Using the POST method as described in this thread the postdata I'm sending is encrypted? (using https in the url)

Thanks

[Vega]

<resolved>
It took an hour or two to get to know wireshark, but I can confirm that if url is https the whole data exchange is encrypted, so this method can be used for secure login, if the server has ssl cert.