Grabbing protected content through cURL

Question

I'm currently developing a Dashboard for users that grabs graph data from another site. To get this graph, it requires you to be logged in.

The form I'm attempting to replicate contains this code:

<form method="POST" action="https://redacted/auth/login" accept-charset="UTF-8" id="loginform" name="loginform"><input name="_token" type="hidden" value="xyxRW0w8ZjHyP7ZvrCFygqcNkPZ37P35wh8NifuC">
    <table class="form spaceform">
        <tr>
            <td class='label'><label for="email">Email address:</label></td>
            <td><input name="email" type="text" id="email"></td>
        </tr>
        <tr>
            <td class='label'></td>
            <td>
                <input id="has_account_new" name="has_account" type="radio" value="new">
                <label for="has_account_new">I am a new customer</label><br />
                <input id="has_account_return" checked="checked" name="has_account" type="radio" value="return">
                <label for="has_account_return">I am a returning customer</label>
            </td>
        </tr>
        <tr>
            <td class='label'><label for="password">Password:</label></td>
            <td><input name="password" type="password" value="" id="password"></td>
        </tr>
        <tr>
            <td></td>
            <td><a href="https://redacted/auth/forgot">Forgot your password?</a></td>
        </tr>
        <tr>
            <td colspan='2' align='center' class='noborder'><br />
                <input type="submit" value="Login">
            </td>
        </tr>
    </table>
    <input name="_token" type="hidden" value="xyxRW0w8ZjHyP7ZvrCFygqcNkPZ37P35wh8NifuC">        
    <input type="hidden" name="page_transfer" value="0" />
</form>

and the PHP code I'm currently using to try and login and grab the graphs:

$username = 'demo@demo.com';
$password = 'demo';
$loginUrl = 'https://redacted/auth/login/';


$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $loginUrl);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, 'email='.$username.'&password='.$password.'&has_account=return&_token=PM2dY2hlbkPLvB97FyjL7cnPwryHXgfiex5050Iy&page_transfer=0');
curl_setopt($ch, CURLOPT_COOKIEJAR, 'cookie.txt');
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);

$store = curl_exec($ch);

curl_setopt($ch, CURLOPT_URL, 'https://redacted/ucp/view-graph/157/0/1');

$content = curl_exec($ch);

curl_close($ch);

echo $content;

The current output is HTML redirecting me back to their login form which I'm guessing is because I'm missing something on the POST request. I'm also seeing tokens inside the login form which I'm unsure of, could this be something to-do with it?

Answer 1

After much playing around and help from alejandro the solution was to send a GET request to the page and gather the token, this mess of code below works just fine for what I need it for.

$url = $_GET['url'];
$rand = rand();
$ch = curl_init();

curl_setopt_array($ch, array(
    CURLOPT_URL => 'https://blank/auth/login',
    CURLOPT_RETURNTRANSFER => 1,
    CURLOPT_FOLLOWLOCATION => true,
));

$resp = curl_exec($ch);

$dom = new DOMDocument();
$dom->loadHTML($resp);
$xpath = new DOMXpath($dom);
$token = $xpath->query('//input[@name="_token"]');
$token = $token->item(0);
$token = $token->getAttribute('value');

$username = 'blank';
$password = 'blank';
$loginUrl = 'https://blank/auth/login';

curl_setopt($ch, CURLOPT_URL, $loginUrl);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, '_token='.$token.'&email='.$username.'&has_account=return&password='.$password.'&_token='.$token.'&page_transfer=0');

$store = curl_exec($ch);

curl_setopt($ch, CURLOPT_URL, 'https://blank/ucp/view-graph/157/0/1');

$content = curl_exec($ch);

curl_close($ch);

file_put_contents('bw.png', $content);

?>

Answer 2

Definitely. The server may be denying any login attempt not containing a token value issued by the same server. I suggest adding the token value to the posted fields.

Moreover, you should first get the login page in order to have a "fresh" token, then post with it. Let me add that you will probably be receiving some cookie after you do the get. That cookie you should send along in the post. I think curl does that by default if you don't close the handle.