Jump to content

PHP, cURL and loggin on to Joomla

kickstart

By kickstart
in PHP Coding Help

 Share

Recommended Posts

kickstart Member

kickstart

Posted
Posted

Hi

 

I am trying to knock up a script to create a userid and log someone into a Joomla based site. The script is running on the same server as the site (and is legitimate, not nefarious).

 

I can create an ID OK, and I can retrieve the login page, scrape the details (including the token) and submit the form.

 

When I do this the user is logged in according to the Joomla sessions table, but it has also created a 2nd guest session there. Navigating to the Joomla site (either manually or doing a header redirect) just takes you to the site as though you are not logged in.

 

Code as it stands (and code to deal with being passed user ids and passwords will change to be at least vaguely secure, just trying to get things to work now)

 

<?php
session_start();
session_regenerate_id();

require("configuration.php");

$ConfigDetails = new JConfig();

$dbms = $ConfigDetails->dbtype;
$dbhost = $ConfigDetails->host;
$dbname = $ConfigDetails->db;
$dbuser = $ConfigDetails->user;
$dbpasswd = $ConfigDetails->password;

$salt = 'somesalt';

$url = "http://localhost/joomla/index.php";
$IncomingUid = $_REQUEST['uid'];
$IncomingName = $_REQUEST['name'];
$IncomingPassword = $_REQUEST['pwd'];
$IncomingEmail = $_REQUEST['email'];


// Make the database connection.
$SurveyConn = mysql_connect($dbhost,$dbuser,$dbpasswd);

mysql_select_db($dbname,$SurveyConn) or die(mysql_error());

$sql = "SELECT * FROM ".$ConfigDetails->dbprefix."users WHERE username = '".mysql_real_escape_string($IncomingUid)."'";

$rs = mysql_query($sql) or die(mysql_error());

if ($row = mysql_fetch_assoc($rs)) 
{
if ($IncomingPassword == $row['password'])
{
}
}
else
{
$PasswordEncrypted = md5($IncomingPassword.$salt).':'.$salt;
$sqli = "INSERT INTO ".$ConfigDetails->dbprefix."users (id, name, username, email, password, usertype, block, sendEmail, registerDate, lastvisitDate, activation, params) VALUES(NULL, '".mysql_real_escape_string($IncomingName)."','".mysql_real_escape_string($IncomingUid)."','".mysql_real_escape_string($IncomingEmail)."','".mysql_real_escape_string($PasswordEncrypted)."','deprecated',0,1,NOW(), NOW(), '', '')";
$rs = mysql_query($sqli) or die(mysql_error()." $sqli");
$sqli = "INSERT INTO ".$ConfigDetails->dbprefix."user_usergroup_map (user_id, group_id) VALUES(".mysql_insert_id().", ";
$rs = mysql_query($sqli) or die(mysql_error()." $sqli");
}

$agent = "'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.6) Gecko/20060728 Firefox/1.5.0.6'";

$c1 = curl_init();
curl_setopt($c1, CURLOPT_URL, $url );
curl_setopt($c1, CURLOPT_SSL_VERIFYPEER, FALSE );
curl_setopt($c1, CURLOPT_RETURNTRANSFER, TRUE );
curl_setopt($c1, CURLOPT_VERBOSE, 1);
curl_setopt($c1, CURLOPT_COOKIEJAR, 'cookie.txt');
curl_setopt($c1, CURLOPT_COOKIEFILE, 'cookie.txt');
curl_setopt($c1, CURLOPT_USERAGENT, $agent );
curl_setopt($c1, CURLOPT_HEADER, TRUE );
curl_setopt($c1, CURLOPT_REFERER, $url1);
curl_setopt($c1, CURLOPT_POST, 1);

$html = curl_exec($c1);	

$dom = new DOMDocument();

$FormFieldsArray = array();
if (@$dom->loadHTML($html)) 
{
// yep, not necessarily valid-html...
$xpath = new DOMXpath($dom);

$nodeListInputs = $xpath->query('//input');
if ($nodeListInputs->length > 0) 
{
	$FormFieldsArray = array();
	for ($i=0 ; $i<$nodeListInputs->length ; $i++) 
	{
		$nodeInput = $nodeListInputs->item($i);
		$name = $nodeInput->getAttribute('name');
		$value = $nodeInput->getAttribute('value');
		$FormFieldsArray[$name] = $value;
	}
}
}
else 
{
// too bad...
}

if (count($FormFieldsArray) > 0)
{	
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url );
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE );
curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE );
curl_setopt($ch, CURLOPT_VERBOSE, 1);
curl_setopt($ch, CURLOPT_COOKIEJAR, 'cookie.txt');
curl_setopt($ch, CURLOPT_COOKIEFILE, 'cookie.txt');
curl_setopt($ch, CURLOPT_USERAGENT, $agent );
curl_setopt($ch, CURLOPT_HEADER, TRUE );
curl_setopt($ch, CURLOPT_REFERER, $url1);

// POST fields
$postfields = array();
foreach($FormFieldsArray AS $FormFieldName=>$FormFieldValue)
{
	switch ($FormFieldName)
	{
		case 'username' :
			$postfields['username'] = urlencode($IncomingUid);
			break;
		case 'passwd' :
			$postfields['passwd'] = urlencode($IncomingPassword);
			break;
		case 'password' :
			$postfields['password'] = urlencode($IncomingPassword);
			break;
		default :
			$postfields[$FormFieldName] = $FormFieldValue;
			break;
	}
}

curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, $postfields);

$ret = curl_exec($ch);	

// Get logged in cookie and pass it to the browser
preg_match('/^Set-Cookie: (.*?);/m', $ret, $m);
$cookie = explode('=', $m[1]);
setcookie($cookie[0], $cookie[1]);
header("location:  ".$url);
}
//echo $ret;
?>

 

Any ideas?

 

All the best

 

Keith

Link to comment
Share on other sites
  • 9 months later...
frankieM Newbie

frankieM

Posted
Posted (edited)

Hi, I am having this same issue. Did you manage to make any progress?

 

 

I am using the following to scrape the Joomla login form and resubmit with the token. But I do not think the cookie is working properly as the print_r at the end just gives me thisArray ( [0] => ) Any thoughts about what else to check? My browser has cookies enabled.

<?php

$uname = $_POST['username'];

$upswd = $_POST['password'];

$url = "http://www.myJoomlaS...ser&view=login";

 

$ch = curl_init();

curl_setopt($ch, CURLOPT_URL, $url );

curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE );

curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE );

curl_setopt($ch, CURLOPT_COOKIESESSION, TRUE );

curl_setopt($ch, CURLOPT_COOKIEJAR, realpath('./cookie.txt'));

curl_setopt($ch, CURLOPT_COOKIEFILE, realpath('./cookie.txt'));

curl_setopt($ch, CURLOPT_HEADER, TRUE );

$ret = curl_exec($ch);

if (!preg_match('/name="([a-zA-z0-9]{32})"/', $ret, $spoof)) {

preg_match("/name='([a-zA-z0-9]{32})'/", $ret, $spoof);

}

 

// POST fields

$postfields = array();

$postfields['username'] = urlencode($uname);

$postfields['passwd'] = urlencode($upswd);

$postfields['option'] = 'com_user';

$postfields['task'] = 'login';

$postfields[$spoof[1]] = '1';

curl_setopt($ch, CURLOPT_POST, 1);

curl_setopt($ch, CURLOPT_POSTFIELDS, $postfields);

$ret = curl_exec($ch);

 

// Get logged in cookie and pass it to the browser

preg_match('/^Set-Cookie: (.*?);/m', $ret, $m);

$cookie=explode('=',$m[1]);

setcookie($cookie[0], $cookie[1]);

print_r($cookie);

Edited by frankieM
Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.