0

I'm using PHP to login into my microsoft account and perform an action or two. I've so far realised that you need a PPFT token as CSRF token to login into microsoft. I'm doing this:

$PPFT = file_get_contents('http://login.live.com');

preg_match('/id\="i0327" value\="(.*?)"\//', $PPFT, $key);

$ch = curl_init('https://login.live.com/ppsecure/post.srf');
$query = http_build_query(array('login' => 'MY_EMAIL_ADDRESS@gmail.com', 'passwd' => '_MY_EMAIL_ADDRESS_PASSWORD', 'PPFT' => "{$key[1]}"));
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_NOBODY, 1);
curl_setopt($ch, CURLOPT_HEADER, 1);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); // for https
curl_setopt($ch, CURLOPT_POSTFIELDS, $query);
curl_setopt($ch, CURLOPT_HTTPHEADER, array('User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.111 Safari/537.36','Origin: https://login.live.com','Content-Type: application/x-www-form-urlencoded; charset=UTF-8','Referer: https://login.live.com/'));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);

$result = curl_exec($ch);

curl_close($ch);

var_dump($result);

It gives me:

string(512) "HTTP/1.1 200 OK
Cache-Control: max-age=0
Content-Length: 6777
Content-Type: text/html; charset=utf-8
Expires: Fri, 20 Feb 2015 15:33:19 GMT
Server: Microsoft-IIS/8.5
P3P: CP="DSP CUR OTPi IND OTRi ONL FIN"
X-XSS-Protection: 0
X-Content-Type-Options: nosniff
Set-Cookie: MSPOK=$uuid-49105e9d-c262-4b46-9fa7-710d3058e6fe; domain=login.live.com;secure= ;path=/;HTTPOnly= ;version=1
X-Frame-Options: deny
PPServer: PPV: 30 H: BAYIDSLGN1B021 V: 0
Date: Fri, 20 Feb 2015 15:34:19 GMT
Connection: close

which is certainly not OK.

If you are complaining about more headers, then see this image.

Using jquery (javascript). I can login into my own account by running this javascript on https://login.live.com

x = document.createElement('script');
x.src = 'https://ajax.googleapis.com/ajax/libs/jquery/1.11.2/jquery.min.js';
document.body.appendChild(x);

$.post('https://login.live.com/ppsecure/post.srf', 
{ 
login: 'MY_EMAIL_ADDRESS@gmail.com', 
passwd : 'MY_PASSWORD', 
PPFT : 'Cke!8IRbHV6V95QHkcbjUrMQWetwe7vQchGSnm1*l8NpcMMCeTqAGLZ8xjeFF7NzHJ3enl6ycLRUn0iCgoncbOPyLNPozOq2miY33O0TKGMRZWm70T*7PyslhBIJxvHumMpWH7tbEcIU0HRWs7cgdchinYgQzt85aoktbtrJTTz72Vo5qltscLxChJeOZ73mcg$$' 
}, 
function(data, status, xhr) { console.log(data+"\n"+status+"\n"+xhr.getAllResponseHeaders()); 
});

And it works fine. Check this screenshot:

enter image description here

But on PHP, it simply looks like microsoft knows that I'm using PHP. Howcome I can login with javascript $.post request but not PHP? Is this because I'm requesting the PPFT token from file_get_contents and POSTing data with cURL? But the HTML of cURL has same tokens as of file_get_contents(). So what's wrong?

  • Please help me. I'm struck in this since 4 hours! :(
Community
  • 1
  • 1
mehulmpt
  • 15,861
  • 12
  • 48
  • 88
  • 1
    All I can say is; see Server-Side scenerios on how to access Windows Live: https://msdn.microsoft.com/en-us/library/hh243649.aspx .. – Brett Caswell Feb 20 '15 at 15:59
  • disregard the Php sample I referenced and edited out in the previous comment.. the Sample folder was empty.. – Brett Caswell Feb 20 '15 at 16:01
  • I'm pretty sure that wouldn't be in a documentation as this is a hell new thing and microsoft don't have that api to authenticate accounts like dropbox does. That's why I'm using curl. – mehulmpt Feb 20 '15 at 16:03

1 Answers1

1

It looks like you are missing the redirect in the Curl. jQuery is in the browser so it will automatically follow the redirect. Curl on the other hand by default does NOT follow redirects.

Add this to your PHP curl request and give us the result

curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);

Follow up.

I've tried to do this a variety of ways and it does not seem to be working. I even fetched the entire page for the login, displayed it on my server, and then filled it in correctly and submitted and it gets rejected for bad login credentials.

My guess is that Microsoft is checking the remote client address and making sure that the submission is actually coming from a microsoft login webserver and not just anywhere. This seems very reasonable to me.

If my assumption above is correct then you will need to use something more like a crawler to get to the content. Most microsoft sites I visit are javascript heavy, which means you need a javascript enabled crawler. That's gonna have to be a new question. Here's a link to a question about that Make a JavaScript-aware Crawler or this one Web crawler Parsing PHP/Javascript links?

Community
  • 1
  • 1
greg_diesel
  • 2,955
  • 1
  • 15
  • 24
  • 1
    No. I'm outputting the headers. If there were a redirect, then there would be a `Location` header set in the output of the headers. But there isn't. If the code is successfully logged in, then it gives 302 Found header. But it gives 200 OK with PHP and 302 Found with javascript. – mehulmpt Feb 20 '15 at 16:17
  • (Maybe CURL *is* doing the follow automatically then? XHR/$.post does not AFAIK.) – user2864740 Feb 20 '15 at 16:19
  • My first login attempt returns a 200 (in the browser) not a 302. The 2nd request the browser made was https://account.live.com/?mkt=EN-US&lc=10331&id=389361&wa=wsignin1.0 and returned a 302 – greg_diesel Feb 20 '15 at 16:37