{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 Animai°情兽 的问题《Execute JS server-site to generate hash for xhr》','https://www.manongdao.com/q-1140559.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
There is a scrapebot-proof form. The login & password inputs have the obfuscated name attribute:
<input id="login-username" name="r0pUsRqARu" value=""
type="text" class="form-control" placeholder="Login">
Based on those inputs (incl. login and password values) and hidden char input field the hash value is generated client-side by js functionality (md5.js).
$("#btn-login").click(function(){
var ser = $( "#loginform" ).serialize();
$.post("/post.php",ser+"&hash="+md5(ser),function(){
location.replace("/logged.php");});
});
The form is serialized and is sent as POST xhr (ajax) to post.php for logging in (see the code above).
I want to write php script to automatically log in through the form.
No problem with getting the form on server, fetching name attributes, pasting login/password values and requesting by POST xhr to /post.php with serialized string.
cV2sD3JzH2=login&3JX2zJ7QlC=password&char=%C2%AA&hash=...
Yet, since the hash is generated client-side by js (by md5.js), I can't generate hash server side by php... What's the way out?
Some thoughts:
- Transform md5.js into a server-side script and execute it to produce hash. How?
- Use AngularJS (or similar JS framework on server) to run md5.js on server to produce hash. Disclaimer: I'm not familiar with AngularJS.
Update
Sorry, I've presumsiously thought I could fetch the obfuscated name attribute values and char input value server-side. Yet, as RamRaider mentioned, without javascript enabled they are named *email* and *password* and no hidden char input is in the html when javascript is disabled.
So, when fetching content with php cUrl (no js server-side), I have a clean form without hidden char input and unobfuscated name values, see it below (removed styling):
<form id="loginform" method="post" action="/post.php">
<input id="login-username" type="text" name="email" value="" >
<input id="login-password" type="password" name="password" >
<a id="btn-login" href="#" class="btn btn-success">Login </a>
</form>
Again JS tricks that are not avail at server-side. How can I fix it?
I was seraching for JS inserting somewhere new attribute values, but in vain. It should be smth. like the following:
$('login-form').attr('name', <new value>);
It is not obvious where the
md5.jsthat's being used there comes from or where the doc is for it. As such, you have these options:I'd suggest you start with the first option since that's the easiest way to immediately tell whether they might be the same algorithm or not.