Q:Perl Extracting & Printing Security Token

Shell Programming and Scripting
1

I have a script which is supposed to log in to my vB account and print my security token, however doesn't seem to work globally. The logging in works perfectly just will not retrieve and print the security token for every forum I log in to. Code Below:

#!/usr/bin/perl
use LWP::UserAgent;

my $ua = LWP::UserAgent->new(agent => q{Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7 (.NET CLR 3.5.30729)});
$ua->cookie_jar({});

print("Specify site URL(e.g http://site.com/): ");
chomp(my $url = <>);
print("Username: ");
chomp(my $username = <>);
print("Password: ");
chomp(my $password = <>);

my $req = HTTP::Request->new(POST => $url . '/login.php?do=login');
$req->content_type('application/x-www-form-urlencoded');
$req->content("vb_login_username=$username&vb_login_password=$password&do=login&securitytoken=guest&vb_login_md5password=&vb_login_md5password_utf=&s=");
$ua->request($req);
my $content = $ua->get("$url/index.php")->content;
my ($securityToken) = $content =~ /value="\w{10}-\w{40}" /g;
print "Security token: $securityToken\n";

Just view your page source to find an example of the vB security token while logged in.

2

Try something like this:

% cat script.pl
$_ = '<input type="hidden" value="1311696616-766a50d6240bd38183dd57b51a345bf916a634a9" name="securitytoken">';
my $securityToken = $1 if  /securitytoken/ && /value="(\w+-\w+)"/;
print "Security token: $securityToken\n";

% perl script.pl
Security token: 1311696616-766a50d6240bd38183dd57b51a345bf916a634a9
3

Think you misunderstood me. Disregard that specific value it's a generic string. I need it to grab that generic string from the page.

First post updated so you can test on a few vB forums to see what I mean, works on some, won't work on others.

4

In $content you have all the page but we need only an input element with the attribute 'name="securitytoken"'. There are can be a few but they are the same (on unix.com at least). So it's enough to get just the first one:

my $input = $1 if $content =~ /(<input.*?securitytoken.*?>)/s;

(/s - just in case an input elements takes several lines.)
Then from this input we can get the value in the same vein:

my $securityToken = $1 if $input =~ /value="(\w{10}-\w{40})"/;

And it's necessary to check whether we really get the token - something like this:

if ($securityToken) { 
  print $securityToken;
} else {
  print "oops\n";
  exit -1;
}

Hope this helps. If not - write me to the private (so I can be sure to see your questions).

PS Sorry for my English.

---------- Post updated at 11:00 AM ---------- Previous update was at 10:50 AM ----------

I think this will be enough:

my $securityToken = $1 if $input =~ /value="(.*?)"/;

For example, on some forums where i'm a guest it gives me the value "guest".

1 Like
5

Thank you for the response. Seems to work for a few more forums, however still not for every vB forum. I'll send you another example, read the comments in your banking.

---------- Post updated at 11:47 PM ---------- Previous update was at 11:10 PM ----------

After checking your post update the last example seems to have fixed things. But it seems I've ran in to another problem. I need the usage of gzip, deflate but with the script looking like it does below, it puts the security token extraction back where it was before.

#!/usr/bin/perl
use LWP::UserAgent;

my $ua = LWP::UserAgent->new(agent => q{Mozilla/5.0 (Windows; U;  Windows NT 6.0; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7 (.NET  CLR 3.5.30729)});
$ua->cookie_jar({});

print("Specify site URL(e.g http://site.com/): ");
chomp(my $url = <>);
print("Username: ");
chomp(my $username = <>);
print("Password: ");
chomp(my $password = <>);

$ua->default_header('Accept' =>  "text/xml,application/xml,applicati+on/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5",  
    'Accept-Language' => "en-us,en;q=0.5",
    'Accept-Charset' => "ISO-8859-1,utf-8;q=0.7,*;q=0.7",
    'Accept-Encoding' => 'gzip,deflate',
    'Keep-Alive' => "300",
    'Connection' => "keep-alive", 
    'Referer' => "$url/index.php");

push @{ $ua->requests_redirectable }, 'POST';

my $req = HTTP::Request->new(POST => $url . '/login.php?do=login');
$req->content_type('application/x-www-form-urlencoded');
$req->content("vb_login_username=$username&vb_login_password=$password&do=login&securitytoken=guest&vb_login_md5password=&vb_login_md5password_utf=&s=");
$ua->request($req);
my $content = $ua->get("$url/index.php")->content;
my $input = $1 if $content =~ /(<input.*?securitytoken.*?>)/m;
my $securityToken = $1 if $input =~ /value="(.*?)"/;
print "Security token: $securityToken\n";
6

Don't quite understand. What is the content of the var "$content"? Is it gzipped?

7

No it's for other purposes such as extraction of posts/titles. But I don't see why it stops the extraction of the security token.

8

Yes. With 'Accept-Encoding' => 'gzip,deflate' you get a page in gzip form. I check this with unix.com (I hardcoded the data in the script and change the last line to

if ($securityToken) {
    print "$securityToken\n";
} else {
    print "$content\n";
}

With

./script.pl | gunzip -

i can see the content.
I'm checking now how to use IO::Uncopress::Gunzip.

---------- Post updated at 12:37 PM ---------- Previous update was at 12:32 PM ----------

This works but gives me value for unix.com as "guest" - doesn't count my $username and $password.

use IO::Uncompress::Gunzip 'gunzip';
...

my $content = $ua->get("$url/index.php")->content;
my $gunzipped;
gunzip \$content => \$gunzipped;
$content = $gunzipped;
my $input = $1 if $content =~ /(<input.*?securitytoken.*?>)/m;
my $securityToken = $1 if $input =~ /value="(.*?)"/;
if ($securityToken) {
    print "$securityToken\n";
} else {
    print "$content\n";
}
9

Thank you Yazu for the help, seems to be stable for now.