Usage of cookie in POSTMAN - php

I am trying to login to a website using postman.
The website is done using PHP and I have the username and the password for it.
I installed burp to check what are we posting in order to login, and it shows the following:
However, when I add the 3 of the parameters with their correct values in POSTMAN the site does not login, and I get the login page again, which means there is something wrong with the info I am sending.
I suspect this is the cookie, but how can I send a cookie with the Header's parameters in POSTMAN?
Although the same cookie appears below in the cookies section in POSTMAN as below.
EDIT 1:
The reason I am posting this is because I want to save to a CSV format the contents of a webpage by creating a PHP script that will go through the pages that are in this format http://example.com/page.php?id=151 and http://example.com/page.php?id=152 and so forth.
However, as mentioned my problem is the authentication where I can't seem to bypass the login page even though I have the username and the password.
At the moment, I am trying this using postman, to see if it is possible, because if it so, I will try to code it in PHP, but It is not working.

I would recommend you the following:
Run the request in your browser, open Dev Tools, copy the request as curl and import it in Postman. See a video on how to do it: https://youtu.be/lqqYBLJR1Yc
It is possible that the form you are submitting includes other values as well, such as a CSRF token, which is generated with each page load. If this is the case, things get more complicated - just let me know how it worked out.

Related

POST, GET and cookies via PHP

I posted this question earlier but it was misinterpreted by those reading it and was closed before I had time to clarify. If you don't understand what I mean, please ask!
I have a site, let's call it "site A". On "site A", there is a log in page. On this page, you POST a username and password to a PHP script. If the login details are correct, the PHP script sets a cookie on the browser. This cookie is called "SESSION".
When you view the site, it checks whether "SESSION" is valid, and displays either the information or the login page.
I want to connect to the page via PHP and POST the login details. I then want to store the "SESSION" cookie via PHP, and display the contents of the page (again, via PHP).
How would I do this?
You can use PHP as a web client as well. You can use the cUrl library to make requests from PHP.
You can use setopt to set all kinds op options for your cUrl session, including POST (CURLOPT_POST) and the POST variables (CURLOPT_POSTFIELDS), but also choose a kind of authentication (CURLOPT_HTTPAUTH) in case the site doesn't use normal post for this.
I found an example that might be useful here: http://davidwalsh.name/curl-post, although you can find many other examples by Googling for something like 'php curl post'.

Logging in to a website a curl-based POST request not working

I'm trying to download a page, reddit.com/gold, one has to be logged in to access it, so my first instinct was to use curl in order to post the login form data and log in.
I came this far: http://pastie.org/3387061
The script outputs the page that is presented to you if you're not logged in, so I'm fairly certain it isn't working as it should.
Here's the login form, if that's needed (I de-minified it): http://pastie.org/3387065
Thanks for reading and for any help.
Make sure you use the same value for CURLOPT_COOKIEJAR on both requests and also add an option CURLOPT_COOKIEFILE with the same value.
try using chrome inspector to login and see what actual POST vars are being sent, there might be something you've missed

how I can give my credentials with get_contents? php

I have looked at some examples and they use Curl in php etc but I just want a simple command that passes my credentials to a site so it can login and give me access to download a file. Current problem is when I try to use get_contents I get stuck at login page because it needs a login before it can allow a download so isnt there a way to send my login info before get_contents in php? Thanks
for example we can assume the website is located at www.confluence.com
You're out of luck. file_get_contents() can only get content, hence the name. You can try to authenticate via the get syntax for standard authentication, like http://username:password#example.com.
If you have to post your credentials via HTTP POST, you'll have to use curl.
The problem is that when you log in the server send to your browser a cookies that your browser automatically stores.
With file_get_content() you can actually pass cookies ( the third context parameter of file_get_content() can handle this).
Have a look at stream context create.
By the way, you need to first send your login info to the login page (with curl), when you recive cookies back, pass them as option to file_get_content() and the trick is done.
If the server is using a login system different from cookies let us know, so we can help you

Get the source of a file using PHP

I'm trying to get the source of a file using PHP and the file_get_contents function.
The problem is that the website requires a login. I thought that this could be bypassed by logging into the site first and then use the file_get_contents function but this is not the case. The page that the function returns is the login page.
This is the code:
<?php
if (isset($_GET['getroster'])){
$file = stripslashes(file_get_contents('https://intranet.hlf.de/custom/cddTUB.asp?show=1'));
print ($file);
}
?>
As you can see when running this function, or when going to the url, it requests a username, password and company from a dropdown list.
Is it possible to pass these values to the page by using this or any other PHP function. Or maybe doing it in a totally different way?
The cookies in your browser, and the cookies can be sent with PHP are completely unrelated.
Using curl you can set the options CURLOPT_COOKIEJAR and CURLOPT_COOKIEFILE to specify a file in which cookies should be stored and loaded from.
Doing that you will first have to make a request that does the login (this will get you the cookie). Next you can do the request you wanted to do as a logged in user (because now curl has the cookies).
You have to send the correct cookies. If you can use curl, then the script on this page should help. You can also take a look at this SO question (it's slightly different from your case since it's reusing browser cookies to make the request).
Any change you could post an example of how to do that Daniel?
There wouldn't be an option of creating a login like form which sents the user information to the page to login automatically?
Read something about the stream_context_create function which could do a login by sending header information but I really wouldn't where to start. The examples posted about that only give username and password but I ofcourse have a third option to post to the authentication page!

Gmail/Facebook without username/password - PHP Login Header Problem

I want to create my own personal login gateway into Gmail/Facebook/any other site. In this gateway I enter my master username and password, then I can choose where to login (gmail/facebook/etc) without entering those usernames because they are stored on the server.
I tried to implement this by using cURL to send POST request with the headers and post data sent in Firefox during regular login. However, this doesn't work for neither facebook or gmail.
Has anyone tried this or have an idea about why this doesn't work?
Thanks.
// Edited
I am thinking the problem that it doesn't work lie in the fact that the IP address of the php server which sent the curl request to gmail is different from my browser's so, when the response from the gmail server is fed back to the browser, it still cannot authenticate.
Or is that the cookie I sent using curl to Gmail server actually changes according to time.
Based on your reply to my comment cURL is useless for your problem. You need to authenticate your browser with your services (gmail, facebook, ...), what you are doing now is authenticating your script (or your server).
You will have to use JavaScript to accomplish what you want. If you store your credentials for the services on your server, then send them back to the client once you successfully log-in into your webpage. Then you could create a hidden iframe with the "src" attribute set to the login page of the chosen service. Once the iframe loads you can fill the login information (username/password) into the appropriate fields and submit the form. Once this is complete you should be loged-in into your services.
There are probably some other techniques but this is the first that springs to mind ...
This is not necessarily feasible, Gmail and Facebook may be doing very simple checks to see who the referer is and when it comes from your site rather than their own login page refuses to login. This is basic security checks.
You would need to look at their api to see if you can do anything, or possibly you could use javascript and a firefox plugin to write your username and password to the webform then submit the form, a bit of a hack but might do what you want.
There is no reason why the cURL method you tried wont work with the correct headers. playing around scraping sites like digg.com i found i needed a valid USER AGENT header and of course an appropriate REFERER URL, keep going with the curl technique if that will work best for you overall. use an http header add-on to firefox to see what headers you are sending to gmail and then fake them completely.
Tryusing firebug to find out what the response returned, It should always give you the best lead.
I see no reason why it wont work, I read my Gmail and analytics with Curl.
Have you configured curl to accept and store cookies? Usually once you've been authenticated for an online service it will send you a security token in the form of a cookie that you can send back with every subsequent request to verify your authorisation.

Categories