linux curl redirection and authorization

Question

i want access page require email and password so i did this command

 curl -d 'email=myemail@gmail.com' -d 'password=mypass' -L https://dashboard.ngrok.com/get-started

but it still gaves me gaves this message in command line :

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<title>400 Bad Request</title>
<h1>Bad Request</h1>
<p>CSRF token missing or incorrect.</p>

so what should my command to be

@tripleee you are wrong, a quick inspection of the site reveals that the login mechanism of this site is nothing like the login mechanism of the site of the question you marked as a duplicate, here you need to parse it out of the HTML. you can't use grep to parse html either, as grep won't translate specialchars; correctly, thus you need a HTML parser to reliably parse out the token — hanshenrik, Nov 15 '17 at 11:34

score 0 · Answer 1 · answered Nov 15 '17 at 10:41

0

The login page at https://dashboard.ngrok.com/get-started has an additional hidden input named csrf_token:

<input name="csrf_token" value="1510745795.39##72db755c23c0d0bdf5e81bc77495f131d81a84b2" type="hidden">

You would have to first open the page with the login form, parse out the token, and send it as additional post field. See also the question that @Aserre suggested as a duplicate.

answered Nov 15 '17 at 10:41

Karsten Koop

2,475
1
18
23

also note that this csrf token is tied to the cookie session id, and useless without it – hanshenrik Nov 15 '17 at 11:33

abdullah · Accepted Answer · 2017-11-28T10:20:36.350

i did it by my self thank god first thing we get first session by this command without loginin :

#!/bin/bash

read -p "tupe your email: " EMAIL1
read -p "type your password: " PASS1
EMAIL=$(echo "$EMAIL1" | sed 's/\@/\%40/g')
PASS=$(echo "$PASS1" | sed 's/\@/\%40/g')

tempfile1=$(mktemp /tmp/foobar.$$.XXXXXXXXXX)
tempfile2=$(mktemp /tmp/foobar.$$.XXXXXXXXXX)

curl -s  'https://dashboard.ngrok.com/user/login' -c -|  grep  "csrf\|session" \
| awk '/csrf_token/{print $4};/session/{print $6 "=" $7}' | sed 's/value=/csrf_token=/g;s/\"//g;s/\#/\%23/g' > $tempfile1

SESSION=$(cat  $tempfile1 | grep "session")
TOKEN=$(cat $tempfile1 | grep "csrf_token=" | sed 's/csrf_token=//g')

curl  -i -s -k  -X 'POST' \
-H 'User-Agent: Mozilla/5.0 \
(X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0' \
-H 'Referer: https://dashboard.ngrok.com/user/login' \
-H 'DNT: 1' -H 'Upgrade-Insecure-Requests: 1' \
-H 'Content-Type: application/x-www-form-urlencoded' \
-b ''"$SESSION"'' \
--data-binary $'email='"$EMAIL"'&password='"$PASS"'&csrf_token='"$TOKEN"'' \
'https://dashboard.ngrok.com/user/login' \
| awk '/session/{print $2}' > $tempfile2

 SESSION2=$(cat $tempfile2)


AUTHOR=$(curl -i -s -k  -X 'GET' \
-H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) \ Gecko/20100101 Firefox/52.0'\
-H 'DNT: 1' -H 'Upgrade-Insecure-Requests: 1' \
-b ''"$SESSION2"'' \
'https://dashboard.ngrok.com/get-started'| grep "ngrok\ authtoken" \
 |grep -o -P '(?<=authtoken).*(?=\<\/code\>)'|uniq)

 [[ $(echo $AUTHOR |wc -c) -eq  "0" ]] && \
  echo "authintication is wrong" || echo $AUTHOR

linux curl redirection and authorization

2 Answers2