How to simulate login add a CSRF protected website

Last wrote an article, the content is how to use WebClient simulation landing csrf control of the site, reply to some people still do not understand, now another open an article, intends to say how to use Python to land.

Before writing, first say why WebRequest not, under normal circumstances, we use WebRequest, are the following forms:

1 stringURL ="loginurl";2StringBuilder SB =NewStringBuilder ();3Sb. Append ("Username=un");4Sb. Append ("&password=up");5Sb. Append ("&SERVICE=SV");6HttpWebRequest Requestget =(HttpWebRequest) webrequest.create (URL);7 byte[] PostData =Encoding.UTF8.GetBytes (sb.) ToString ());8 using(Stream stream =Requestget. GetRequestStream ())9 {TenStream. Write (PostData,0, postdata.length); One } AWebResponse reponse1 =Requestget. GetResponse (); -StreamReader SR2 =NewStreamReader (reponse1. GetResponseStream (), Encoding.UTF8); - stringHTML2 = SR2. ReadToEnd ();

The key is that we post the past data and do not have the server recognized CSRF value, in the GetResponse will be an error, if we add the following code after the sixth line:

1WebResponse reponseget =Requestget. GetResponse ();2StreamReader sr =NewStreamReader (reponseget. GetResponseStream (), Encoding.UTF8);3 stringHTML =Sr. ReadToEnd ();4 stringREGX ="<input type=\ "hidden\" id=\ "lt\" name=\ "lt\" value=\ "(? <pid>\\s+?) \ "/>";5 stringtoken = Regex.match (HTML, REGX). groups[1]. Value;6Sb. Append ("&lt="+ token);

The value is first obtained and added to the stringbuild of the PostData, the other is unchanged, when executed to GetRequestStream, will report System.Net.ProtocolViolationException error, at this time if you re-create a HttpWebRequest will cause the CSRF value to expire. These are in the simulation landing with CSRF protection site encountered problems, so only the first article rewrite WebClient to achieve.

Today I happen to be writing Python code, just want to use Python to see how to do this kind of protected analog landing, simply speaking, the code is as follows:

1  fromUrllib.parseImportUrlEncode2URL ='Somurl'3r,c = h.request (URL,'GET')4sc = C.decode ('Utf-8')5 ImportRe6REGX = R'<input type= "hidden" id= "LT" Name= "LT" value= "(\s+?)" />';7PM =Re.search (REGX,SC)8CSRF = Pm.group (1)9BODY = {'username':' User','Password':' Pass','LT': CSRF,'Service':'URL'}Tenr,c = h.request (URL,'POST', body=UrlEncode (body)) One Print(C.decode ("UTF-8"))

The feeling is still full of simple. Of course, we still have to use cookies to achieve the purpose, above is the main code, we can refer to the next.

The variable h is defined as follows:

1 h = httplib2. Http ('. Cache')

As you can see, this library is used httplib2. It is recommended in Python to replace the standard library's HTTP client.