Quantcast

Jump to content

» «
Photo

Access non-public content from Websites

6 replies to this topic
coin-god
  • coin-god

    High Roller

  • $outh $ide Hoodz
  • Joined: 18 Mar 2007

#1

Posted 09 April 2012 - 11:51 AM

I know it may sound weird, but it's not. smile.gif

I've been having a quick look at PHP because I just wanted to make my own signature rotator. But once I finished that I started to think about the things I could do with php scripts that return images.
For example, check my signature. It gets Today top poster data and makes fun of him.

I'm basicly using this function file_get_contents. Where I need the URL to get data from.
But that was easy to do since the Forum Stats are public. But if I want to get data from my profile or any other Members only section of the Forum, I can't. Since the script won't be able to access that.

Is there any way I can do it?

BTW, I first used PHP today. Still geting the hand on the sintaxis and stuff.

Edmachine
  • Edmachine

  • Andolini Mafia Family
  • Joined: 14 May 2005
  • None

#2

Posted 09 April 2012 - 12:08 PM

To be honest, I have no idea, but I think you may want to check out cURL... See if this helps:
http://www.electrict...p-curl-cookies/
http://lv.php.net/ma...n/book.curl.php

coin-god
  • coin-god

    High Roller

  • $outh $ide Hoodz
  • Joined: 18 Mar 2007

#3

Posted 09 April 2012 - 12:14 PM

Seems that I can use cURL to login in a website. I would probably have to create a new account for that... since it may risk mine.

K^2
  • K^2

    Vidi Vici Veni

  • Moderator
  • Joined: 14 Apr 2004
  • United-States
  • Most Knowledgeable [Web Development/Programming] 2013
    Most Knowledgeable [GTA Series] 2011
    Best Debater 2010

#4

Posted 10 April 2012 - 02:24 AM

Basically, you need to understand a few things about how authentication works. There are several methods. The one used by forums relies on session ID tracking. When you open a log-in page, the browser sends you a cookie containing session ID. Go to cookie browser, and you'll quickly find it. When you send info to the page, it matches session ID with information it already has. Once you log in, it marks that session ID as having logged in, and you no longer need to authenticate yourself in any other way than via the ID.

This has number of vulnerabilities, but overall, it's a pretty solid system. If you want to write a script that retrieves information from a page you need to be logged in to, all you really need to do is set a cookie with session ID and then run the request. Edmachine's links should help you with that. If you want to have the script log in automatically, you'll need to make sure that your script receives cookies along with the data, and keeps track of the session ID while you POST the user name and password.

By the way, a lot of forums allow session ID to be passed as GET parameter. I'm not sure about this one. You can experiment with it by disabling cookies and seeing if it works for you. However, a secure forum script will not allow you to pass session ID via GET method if you logged in with cookies. This has to do with vulnerabilities mentioned earlier.

flotwig
  • flotwig

    Lurk more.

  • Members
  • Joined: 12 Jun 2011

#5

Posted 15 April 2012 - 06:04 PM

Some forums are set up to allow search engine user agents to access member pages, you might want to try using a Googlebot user agent string before you go writing an authentication script with CURL.

nightwalker83
  • nightwalker83

    Don't mind me

  • Members
  • Joined: 10 Oct 2004

#6

Posted 17 April 2012 - 12:31 AM

Wouldn't that be a huge security risk if you are accessing a protected area without entering the log-in details?

K^2
  • K^2

    Vidi Vici Veni

  • Moderator
  • Joined: 14 Apr 2004
  • United-States
  • Most Knowledgeable [Web Development/Programming] 2013
    Most Knowledgeable [GTA Series] 2011
    Best Debater 2010

#7

Posted 17 April 2012 - 01:07 AM

QUOTE (nightwalker83 @ Monday, Apr 16 2012, 20:31)
Wouldn't that be a huge security risk if you are accessing a protected area without entering the log-in details?

It is, if there is any sensitive information there. Private sections of the forum, however, more often than not are kept private simply to keep undesirables out, so it's not always a big deal if these pages are getting read by someone.




1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users