EvilZone
Community => General discussion => : techb April 09, 2012, 01:21:38 AM
-
I've been thinking about making a script to log-in and do some crawling for unread posts, and what-not.
I am looking at the source and see several parameters (user, passwrd, cookielength, Login, hash_passwrd). I've never seen something like hash_passwrd, does it want an md5 of the password or something?
I am trying to log-in from the urlbar before I get into the code, but can't seem to do it here. Is there something I'm missing?
Here is what I've been trying
http://www.evilzone.org/index.php?user=techb&passwrd=lolz&cookielength=-1&submit=Login&hash_passwrd=pass_in_md5
-
They already have a link for that in the top right hand corner under your username "Show unread posts since last visit. (http://evilzone.org/../../unread/)"
http://evilzone.org/unread/ (http://evilzone.org/unread/)
-
I know, and I use it often.
I will be doing other things besides getting unread posts. Automated hello's in the introduction section, unread posts that would interest me instead of getting all of them at once, desktop widgets, screen-savers with realtime data from ez, etc.
Besides, it will be good practice. Could port it to SL4A and have updates on my android and provide an easier way of reading and responding than logging in via the phones webbrowser.
-
I'm still a total newbie so I doubt I'm right but in the login script they are using a POST to pass data not GET so I don't think you can pass your own data in the url like you'd want, I could be wrong though.
As for the hash_passwrd hidden input, I've never implemented any kind of password encryption on any of my logins so I don't understand much even though I've read about hashing concepts, I did noticed they're using some javascript @ http://evilzone.org/Themes/default/scripts/sha1.js (http://evilzone.org/../../Themes/default/scripts/sha1.js) and the link to read about the script is @ http://pajhome.org.uk/crypt/md5/ (http://pajhome.org.uk/crypt/md5/) .
-
I know how to do it, I even do proper cookie handling. What I needed to know is what all POST data to encode and send to the server. And I can hash with almost any encryption. Just need to know from the devs what kind of hash and what needs to be POSTed.
-
http://evilzone.org/Themes/default/scripts/script.js
function hashLoginPassword(doForm, cur_session_id)
{
// Compatibility.
if (cur_session_id == null)
cur_session_id = smf_session_id;
if (typeof(hex_sha1) == 'undefined')
return;
// Are they using an email address?
if (doForm.user.value.indexOf('@') != -1)
return;
// Unless the browser is Opera, the password will not save properly.
if (!('opera' in window))
doForm.passwrd.autocomplete = 'off';
doForm.hash_passwrd.value = hex_sha1(hex_sha1(doForm.user.value.php_to8bit().php_strtolower() + doForm.passwrd.value.php_to8bit()) + cur_session_id);
// It looks nicer to fill it with asterisks, but Firefox will try to save that.
if (is_ff != -1)
doForm.passwrd.value = '';
else
doForm.passwrd.value = doForm.passwrd.value.replace(/./g, '*');
}
I'm assuming that hash isn't necessary because I can login just fine with noscript. And monitoring the POST data confirms that, hash_passwrd is empty... when JS is enabled it's the opposite.
This seems to work for me:
$ cat < req.txt
POST /login2/ HTTP/1.1
Host: evilzone.org
Content-Type: application/x-www-form-urlencoded
Content-Length: 40
user=user&passwrd=pass&cookielength=1440
$ nc evilzone.org 80 < req.txt
is 200 OK on fail, and 302 Found on success.
-
Okay, I got it. I was posting to .../login/ because I failed to see .../login2/.
It's working now, thanks xzid for clearing up the POST data for me.