I want to fill a form on a webpage to send some files via the command line instead of using the browser. I found cURL could do that for me but I’m not sure how. Besides that, I found out the "authenticity_token" changes for every request. How would I successfully authenticate and post my files?
I stripped down the html code to present only the inputs, see below. Thanks for having a look.
<form action="https://XXXXXXXX.com/aspera/faspex/test/dropbox_submissions" class="well form-horizontal form-horizontal-small-labels" id="send" method="post"><div style="margin:0;padding:0;display:inline"><input name="authenticity_token" type="hidden" value="cU/zhZKnbjk90v57Phmdgewq97lKclj63MtzfCHhEqc=" /></div>
<input id="dropbox_id" name="dropbox[id]" type="hidden" value="738" />
<input id="passcode" name="passcode" type="hidden" value="1738d1bc02755019655dd424Xf2717f1c8a7c579" />
<input id="delivery_title" maxlength="100" name="delivery[title]" size="100" type="text" value="" />
<input id="fileupload" multiple="multiple" name="file" type="file" />
<input id="delivery_source_paths_list" name="delivery[source_paths_list]" type="hidden" />
<input class="btn large primary" data-prompt_password="true" disabled="disabled" id="send_button" name="commit" type="submit" value="Send Package" />
<label>Passphrase:</label>
<input autocomplete="off" id="password" type="password" />
<label>Confirmation:</label>
<input autocomplete="off" id="password_confirmation" type="password" />
</form>
This seems to be an IBM Aspera Faspex submission page.
In fact the actual file transfer will be done using IBM Aspera FASP protocol (free on client side).
You can use the following free client which will allow you to send to faspex, using either an authenticated access or a public access (with passcode in url):
https://www.rubydoc.info/gems/asperalm
example:
mlia faspex package send --link='https://faspex.org.com/aspera/faspex/external/dropbox_submissions/new?passcode=xxx123xxx.........' --delivery-info=#json:'{"title":"my title"}' /path/to/files
This looks like a CSRF defence.
You need to make two requests and use a cookie jar to store cookies between them.
The first request you'll need to run through an HTML parser (e.g. pup) to extract the authenticity_token.
Then you'll need to make a second request and use the data and cookie jar from the first.
You can open debugger in any browser (developer mode) to demonstrate a html form and capture network request and copy it as curl.
Destination host must exist though since you need some response from the POST action.
This is what I got from my chrome browser.
curl 'https://XXXXXXXX.com/aspera/faspex/test/dropbox_submissions' -X POST \
-H 'Connection: keep-alive' \
-H 'Cache-Control: max-age=0' -H 'Upgrade-Insecure-Requests: 1' -H 'Origin: null' \
-H 'Content-Type: application/x-www-form-urlencoded' \
-H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36' \
-H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3' \
-H 'Accept-Encoding: gzip, deflate' \
-H 'Accept-Language: en-US,en;q=0.9,ko;q=0.8,la;q=0.7' \
--data 'authenticity_token=cU%2FzhZKnbjk90v57Phmdgewq97lKclj63MtzfCHhEqc%3D&dropbox%5Bid%5D=738&passcode=1738d1bc02755019655dd424Xf2717f1c8a7c579&delivery%5Btitle%5D=&file=&delivery%5Bsource_paths_list%5D=' --compressed --insecure
Related
I have this curl command to send alerts to TEAMS and it works fine:
system"curl -H 'Content-Type: application/json' -d '{\"text\" : \"Hello World\"}' https://<link to webhook>"
I wanted to use .Q.hp instead just to keep things in KDB and I constructed this one :
.Q.hp["https://<link to webhook>";.h.ty`json] .j.j enlist[`text]!enlist"Hello World"
and I get the following error :
"<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>400 Bad Request</title>
</head><body>
<h1>Bad Request</h1>
<p>Your browser sent a request that this server could not understand.<br />
</p>
</body></html>
"
Any ideas why the .Q.hp is not working?
I have an issue Im hoping to get help with. I am trying to interact directly with a website by making requests directly to an endpoint instead of using the site itself. I started by capturing three basic requests, Login, Logout, and submitting some data. I did the standard process of going into the Chrome inspect panel and copying the logged request as a CURL statement. It looks like this for the following commands....
Login
curl 'https://thewebsite.org/login' \
-H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9' \
-H 'Accept-Language: en-US;q=0.7' \
-H 'Cache-Control: max-age=0' \
-H 'Connection: keep-alive' \
-H 'Content-Type: application/x-www-form-urlencoded' \
-H 'Cookie: symfony=0d5784ap6ogee0r1nba4446krftdqug9kq6jotmqecp9lmip7b10' \
-H 'Origin: https://thewebsite.org' \
-H 'Referer: https://thewebsite.org/index.php/en' \
-H 'Sec-Fetch-Dest: document' \
-H 'Sec-Fetch-Mode: navigate' \
-H 'Sec-Fetch-Site: same-origin' \
-H 'Sec-Fetch-User: ?1' \
-H 'Sec-GPC: 1' \
-H 'Upgrade-Insecure-Requests: 1' \
-H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36' \
--data-raw 'login=the_user&password=the_password' \
--compressed
This seems to work both in Insomnia and via command line using CURL.
However, the Logout and the submission of the edited data do not work at all. I will get a success response back on both but the edited data is not actually saved the next time I view it and in regards to the logout functionality it is not ultimately successful either because I have to let the login timeout to login via a browser again (this happens because the user was not properly logged out on this site).
Logout
curl 'https://thewebsite.org/logout' \
-H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9' \
-H 'Accept-Language: en-US;q=0.7' \
-H 'Connection: keep-alive' \
-H 'Cookie: symfony=6hpsjifjnem8v0r7pfb5rr22fkdr9th115t01c05p8cfss9mrle1' \
-H 'Referer: https://thewebsite.org/thelink' \
-H 'Sec-Fetch-Dest: document' \
-H 'Sec-Fetch-Mode: navigate' \
-H 'Sec-Fetch-Site: same-origin' \
-H 'Sec-Fetch-User: ?1' \
-H 'Sec-GPC: 1' \
-H 'Upgrade-Insecure-Requests: 1' \
-H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36' \
--compressed
I'd also add that in Chrome dev tools that the response code appears as 302. I tried disabling redirects and get a 302 back when I do that as opposed to a 200 but it makes no difference in terms of it behaving as it does in the browser.
Im really not sure what else to try, if anyone has any comments or suggestions I would be grateful. This is my first question, so if I left out some needed data I will gladly post it. Thank you!
I need to send a Calendar file (ICS) from the REST Api but i can`t.
Nevertheless, I could send a jpg file. In this article Twilio staff announced that users can send
images and videos, but also PDFs, text files, and audio files using the Twilio API for WhatsApp.
This is my call with JPG file that attach the media in a whatsapp message OK:
curl -X POST \
https://api.twilio.com/2010-04-01/Accounts/ACYYYYYYYYYYYYYYYYY/Messages.json \
-H 'authorization: Basic
XXXXXXXXXXXXX' \
-H 'cache-control: no-cache' \
-H 'content-type: application/x-www-form-urlencoded' \
-H 'postman-token: 58fa6aca-3b92-66d4-f675-9906bed37302' \
-d 'To=whatsapp%3A%2BXXXXXXXX&From=whatsapp%3A%2BYYYYYYY&Body=Hola%20probando2&MediaUrl=https%3A%2F%2Flh4.googleusercontent.com%2F-nbafRpNzZAc%2FWjHLp8y3NOI%2FAAAAAAAAAAA%2Fc8CSoPlcgcAazvZFKSU3uYxwo3HZ7FVewCOQCEAE%2Fs128-c-k%2Fphoto.jpg%0A'
When i substitute MediaUrl path with a txt file path or ics file, the message wasn't attach the file:
for example something like this:
curl -X POST \
https://api.twilio.com/2010-04-01/Accounts/ACYYYYYYYYYYYYYYYYY/Messages.json \
-H 'authorization: Basic
XXXXXXXXXXXXX' \
-H 'cache-control: no-cache' \
-H 'content-type: application/x-www-form-urlencoded' \
-H 'postman-token: 58fa6aca-3b92-66d4-f675-9906bed37302' \
-d 'To=whatsapp%3A%2BXXXXXXXX&From=whatsapp%3A%2BYYYYYYY&Body=Hola%20probando2&MediaUrl=https:%2F%2Faaa.bbb.com%2Fccc%2Fcalendar.ics%0A'
Below is a list of supported file types, I don't see the files you are trying to send as supported types for the underlying WhatsApp Business API.
Sending and Receiving Media with WhatsApp Messaging on Twilio (Beta)
I'm trying to login to this page using curl. The page uses authentication via html forms so http auth using curl --user name:password is not working in this case. I've found this post where is mentioned that one should search for
action= attribute under <form> to obtain correct address where to send data. The snippet from mentioned page looks following:
<form id="si_signinform" name="signinform" method="post" action="https://www.criticker.com/authenticate.php">
<input class="si_input" name="si_username" id="si_input_uname" value="" autocapitalize="none" type="text">
<input class="si_input" name="si_password" id="si_input_pswd" value="" type="password">
<input name="goto" value="https://www.criticker.com/signout.php" type="hidden">
<p id="submit"><input id="si_submit" name="si" value="Go" type="submit"></p>
I've also find this post which says that some attributes might be hidden when the are send to server (seems that this is my case because of "goto" and "si" parameters as shown on screenshots)
So here are steps I did:
I've logged to page via Firefox
I've check HTTP parameters via Developer Tools (see screenshots)
I've issued following curl command to login curl -L -X POST -F 'si_uername=wakatana' -F 'si_password=$PASWORD' -F 'goto=https://www.criticker.com/signout.php' -F 'si=Go' -c cookiefile.txt http://www.criticker.com/authenticate.php
Then I've issued following curl command to check whether I'm logged successfully curl -L -b cookiefile.txt https://www.criticker.com/
When I login from Firefox I can see my username in upper right of page.
But when I issue one of the curl commands and grep the returned content for username there is no such string. Based on this I deduce that authentication was not successful. But when login via Firefox and use "Copy as cURL" function as stated here I got this:
curl "https://www.criticker.com/" -H "Host: www.criticker.com" -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0" -H "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8" -H "Accept-Language: en-US,en;q=0.5" --compressed -H "Referer: https://www.criticker.com/signin.php" -H "Cookie: PHPSESSID=SOME_VALUES_GOES_HERE; gid2=SOME_VALUES_GOES_HERE; uid2=SOME_VALUES_GOES_HERE -H "Connection: keep-alive" -H "Upgrade-Insecure-Requests: 1" -H "DNT: 1"
and it works. The problem is that I need to first login wit Firefox and then issue curl.
How can I use curl to login to page which is using forms? Please note I'm looking for some general hints which I can apply to any page (e.g. using proxy, sniffers etc.). I'm not primary interested in this site (but I'm interesting why the curl commands does not work). It is just example which uses form for authentication, if there is some playground for testing such curl commands please let me know. Thank you
Your cURL command is incorrect. Typo in si_username and missing the S in https for the authentication page. Also, in the "goto" you are putting the singout page instead of the main page (or some other page).
Try with:
curl -L -F 'si_username=name' -F 'si_password=xxx' -F 'goto=https://www.criticker.com/' -F 'si=Go' -c cookiefile.txt https://www.criticker.com/authenticate.php
You may not even need the goto and Go fields:
curl -L -F 'si_username=name' -F 'si_password=xxx' -c cookiefile.txt https://www.criticker.com/authenticate.php
I want to restart my Fritz!Box 7390 using wget.
The webinterface has got a reboot form which looks like this:
<form action="/system/reboot.lua" method="POST">
<div id="btn_form_foot">
<input type="hidden" name="sid" value="beb5683181c2ab9f">
<button type="submit" name="reboot">Neu starten</button>
</div>
</form>
I want to submit this form. So far i tried it like this, but it does not seem to work:
wget --post-data "sid=beb5683181c2ab9f" "http://fritz.box/system/reboot.lua"
The sid seems to change everytime i load the page.
But im not sure if thats the issue, cause i can fix the sid by adding ?sid=example to the url
You can't just POST to that url alone. You first need to get a valid session id. This can be done by doing a GET request on http://fritz.box/checklogin.lua and grabbing it from the LOCATION header value. Then you can use this to post to the http://fritz.box/system/reboot.lua including the session id.
Here are the minimal steps to automate it:
SID=$(curl -s -I "http://fritz.box/logincheck.lua" | grep -Fi Location | awk -F'[=]' '{print $2}')
SID=$(curl -s -i -H "Content-Type: application/x-www-form-urlencoded" -H "Origin: http://fritz.box" -H "Referer: http://fritz.box/system/reboot.lua\?sid\=$SID" --data "reboot=&sid=$SID" -L http://fritz.box/system/reboot.lua | grep -Fi Location | awk -F'[=]' '{print $2}')
curl -s http://fritz.box/reboot.lua?ajax=1&sid=$REBOOT_SID
I've created a little script with some extra checks that you can find hereYou can find the complete script including check here at: http://git.io/v3zQs
Suggestions what the steps are for the current software (v7.20+)?
Preferably for router that is password protected.
I tried to update it to use the recent path using the Chrome dev tools info.
It gives a statuscode 200 and response: {"reboot_state":"extern"}.
But no restart.
Chrome Developer Tools says the url when pressing the Restart button in the UI is:
curl 'http://fritz.box/reboot.lua' \
-H 'Connection: keep-alive' \
-H 'Pragma: no-cache' \
-H 'Cache-Control: no-cache' \
-H 'User-Agent: Mozilla/5.0 (...) Chrome/86.0.4240.111 Safari/537.36' \
-H 'DNT: 1' \
-H 'Content-Type: application/x-www-form-urlencoded' \
-H 'Accept: */*' \
-H 'Origin: http://fritz.box' \
-H 'Referer: http://fritz.box/' \
-H 'Accept-Language: en,en-US;q=0.9,nl;q=0.8,de;q=0.7,la;q=0.6' \
--data-raw 'ajax=1&sid=1fd4370b50b14b07&no_sidrenew=1&xhr=1&useajax=1' \
--compressed \
--insecure
(sid obviously changes after each login)