1. 首页
  2. 问答
  3. CSRF验证失败。当使用CURL(divar)

CSRF验证失败。当使用CURL(divar)

2017-06-13 48 views
0

我试图通过curl获取divar.com的内容,但错误“CSRF验证失败,请求中止。”CSRF验证失败。当使用CURL(divar)

浏览器请求

Accept:application/json, text/javascript, */*; q=0.01 
Accept-Encoding:gzip, deflate, br 
Accept-Language:en-US,en;q=0.8 
Connection:keep-alive 
Content-Length:107 
Content-Type:application/x-www-form-urlencoded; charset=UTF-8 
Cookie:did=MEcBYcwueB4uxA; submitButtonColor=green-colored; _ga=GA1.2.835389468.1497328087; _gat=1; csrftoken=9By33xqnFS5JH5qRHuDVyZg7ZU7M1b4Z; sessionid=q7sm28egcbdpuxrchfxgs01bqg6j1pfw 
Host:divar.ir 
Origin:https://divar.ir 
Referer:https://divar.ir//guard/captcha_simple/?token=helper.py:wrapper_func 
User-Agent:Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36 
X-Requested-With:XMLHttpRequest

形式数据

captcha_input:649 
guard_token:helper.py:wrapper_func 
csrfmiddlewaretoken:9By33xqnFS5JH5qRHuDVyZg7ZU7M1b4Z

PHP代码

function getWebPageSsl($url,$param=NULL) 
{ 
    $headers[] = 'Accept:application/json, text/javascript, */*; q=0.01'; 
    $headers[] = 'Accept-Encoding:gzip, deflate, br'; 
    $headers[] = 'Accept-Language:en-US,en;q=0.8'; 
    $headers[] = 'Connection:Keep-Alive'; 
    $headers[] = 'Content-Type:application/x-www-form-urlencoded; charset=UTF-8';  
    $headers[] = 'Origin:https://divar.ir';  
    $headers[] = 'X-Requested-With:XMLHttpRequest';  

    $useragent = 'Mozilla/5.0 (iPhone; U; CPU iPhone OS 4_3_3 like Mac OS X; en-us) AppleWebKit/533.17.9 (KHTML, like Gecko) Version/5.0.2 Mobile/8J2 Safari/6533.18.5'; 
    $options = array(
     CURLOPT_HTTPHEADER  => $headers, 
     CURLOPT_RETURNTRANSFER => true,  // return web page 
     CURLOPT_POST   => ($param)?true:false, 
     CURLOPT_ENCODING  => "",  // handle all encodings 
     CURLOPT_USERAGENT  => $useragent, // who am i 
     CURLOPT_CONNECTTIMEOUT => 120,  // timeout on connect 
     CURLOPT_TIMEOUT  => 120,  // timeout on response 
     CURLOPT_MAXREDIRS  => 10,  // stop after 10 redirects 
     CURLOPT_SSL_VERIFYPEER => true,  // Disabled SSL Cert checks 
     CURLOPT_SSL_VERIFYHOST => 1, 

     CURLOPT_COOKIEJAR  => __DIR__.DIRECTORY_SEPARATOR.'cookies.txt', 
     CURLOPT_COOKIEFILE  => __DIR__.DIRECTORY_SEPARATOR.'cookies.txt', 
     CURLOPT_CAINFO   =>__DIR__.DIRECTORY_SEPARATOR.'CertumTrustedNetworkCA.crt', 
     CURLOPT_REFERER   => 'http://www.google.com' 
    ); 

    $ch  = curl_init(); 
    curl_setopt($ch,CURLOPT_URL, $url); 
    curl_setopt_array($ch, $options); 

    curl_setopt($ch, CURLINFO_HEADER_OUT, true); 

    if($param){ 

     curl_setopt($ch,CURLOPT_POST, strlen(json_encode($param))); 

     curl_setopt($ch,CURLOPT_POSTFIELDS, json_encode($param)); 
    }  
    $content = curl_exec($ch); 
    $last = curl_getinfo($ch); 
    curl_close($ch); 

    return $content; 
}

响应curl_getinfo

array(27) { 
    ["url"]=> 
    string(38) "https://divar.ir/guard/captcha_simple/" 
    ["content_type"]=> 
    string(9) "text/html" 
    ["http_code"]=> 
    int(403) 
    ["header_size"]=> 
    int(288) 
    ["request_size"]=> 
    int(833) 
    ["filetime"]=> 
    int(-1) 
    ["ssl_verify_result"]=> 
    int(0) 
    ["redirect_count"]=> 
    int(0) 
    ["total_time"]=> 
    float(0.265) 
    ["namelookup_time"]=> 
    float(0) 
    ["connect_time"]=> 
    float(0.046) 
    ["pretransfer_time"]=> 
    float(0.171) 
    ["size_upload"]=> 
    float(107) 
    ["size_download"]=> 
    float(545) 
    ["speed_download"]=> 
    float(2056) 
    ["speed_upload"]=> 
    float(403) 
    ["download_content_length"]=> 
    float(-1) 
    ["upload_content_length"]=> 
    float(107) 
    ["starttransfer_time"]=> 
    float(0.265) 
    ["redirect_time"]=> 
    float(0) 
    ["redirect_url"]=> 
    string(0) "" 
    ["primary_ip"]=> 
    string(14) "79.175.191.253" 
    ["certinfo"]=> 
    array(0) { 
    } 
    ["primary_port"]=> 
    int(443) 
    ["local_ip"]=> 
    string(11) "192.168.1.5" 
    ["local_port"]=> 
    int(56034) 
    ["request_header"]=> 
    string(726) "POST /guard/captcha_simple/ HTTP/1.1 
User-Agent: Mozilla/5.0 (iPhone; U; CPU iPhone OS 4_3_3 like Mac OS X; en-us) AppleWebKit/533.17.9 (KHTML, like Gecko) Version/5.0.2 Mobile/8J2 Safari/6533.18.5 
Host: divar.ir 
Referer: http://www.google.com 
Cookie: _ga=GA1.2.835389468.1497328087; _gat=1; csrftoken=N9CiDEDm1hPrbfrHBdAHDGGvloc1hyMC; did=ee2WWcXnUvswNA; sessionid=qe5zgp8mwh44pgc6tt0vnf06kvj08f71; submitButtonColor=green-colored 
Accept:application/json, text/javascript, */*; q=0.01 
Accept-Encoding:gzip, deflate, br 
Accept-Language:en-US,en;q=0.8 
Connection:Keep-Alive 
Content-Type:application/x-www-form-urlencoded; charset=UTF-8 
Origin:https://divar.ir 
X-Requested-With:XMLHttpRequest 
Content-Length: 107 

" 
}

但我得到这个错误:

禁止(403)

CSRF验证失败。请求中止。

来源

2017-06-13 Hossein Jalili

+0

你试图获取什么内容?作为一个测试,我没有任何问题获取他们所有产品的名称,代码:http://paste.debian.net/971274/ – hanshenrik

回答

0

这个添加到构造

$this->middleware('auth')->except('getWebPageSsl');

通过这个中间件将不会尝试通过CSRF令牌来验证你。 getWebPageSsl是php的函数名称。

来源

2017-06-13 06:38:57 User123123

+0

laravel code $ this-> middleware('auth') - > except('getWebPageSsl' );但我在纯php –

+0

您的令牌9By33xqnFS5JH5qRHuDVyZg7ZU7M1b4Z可能无效或表单中的名称可能不正确(“csrfmiddlewaretoken”) – User123123

0

看起来,令牌是正确的,没有问题

来源

2017-06-13 09:32:59

相关问题

 相关问题