PHP Implementation Simulation Landing Square educational system

This article mainly introduces the realization of the square educational system through the PHP Curl Library, because the square educational system may have some updates every year, so this article is for 2018, introduced some simulation landing square method, hope to help everyone.

1. Save the Verification code and cookie for the login interface

The contents are as follows

We can see such a request, from the name can be seen that this is the page verification code, is to access the login interface from the square server back. I refer to other big guy's blog that can intercept the verification code, do not need to lose, but I test a few times the discovery does not work, so I feel that the square should be fixed this bug, so we have to honestly lose a verification code.

It is also important to note that there is a parameter cookie, which is returned every time the page is accessed, but only if the cookie is valid after the login is successful, so we need to save this cookie, This cookie is necessary because all of the operations we do in the academic administration will validate this cookie, which is equivalent to authentication.

Below I use PHP to save cookies and verification code locally.

    Session_Start ();    $id =session_id ();    $_session[' id ']= $id;    $cookie = DirName (__file__). '/cookie/'. $_session[' id ']. TXT '; Cookie path, which writes a cookie to a file    $verify _code_url = "http://jwgl.hbpu.edu.cn/CheckCode.aspx";//CAPTCHA address    $curl = Curl _init ();    curl_setopt ($curl, Curlopt_url, $verify _code_url);    curl_setopt ($curl, Curlopt_cookiejar, $cookie);  Save Cookie    curl_setopt ($curl, Curlopt_header, 0);    curl_setopt ($curl, Curlopt_returntransfer, 1);    $img = curl_exec ($curl);  Perform Curl    curl_close ($curl);    $fp = fopen ("Verifycode.jpg", "w");  File name    fwrite ($fp, $img);  Write file    fclose ($fp);    echo "Verification code check out completed, is sleeping, 15 seconds please fill in the Verification code code.txt and save \ n";    Stop running for 15 seconds    Sleep (15);

Students who are familiar with PHP should be able to read the meaning of this code. First we create a session, we save each cookie in the folder, we access the domain name to obtain the cookie and return the verification code. The manual fill of the verification code is we create a code.txt file, we see the verification code in the folder after the image manually written in the Code.txt file, 15 seconds later we will send a request to the square server.

2. Find the server that sent the request and the required parameters

can see a POST request, where one of the message headers we want to note is Referer, which is intended to prevent CSRF, and as for CSRF, I'll explain it at the end. Here's a look at the Post parameters:

Most of the parameters you should guess, the empty content parameters I will not say more, need to say is _viewstate and RadioButtonList1.
The first parameter is the state of the current page, this string is to verify that we come from the login interface, this parameter in the login page of the source code, we pass it out through the regular. The
second parameter is the type of the button, and the content is a GBK encoding, and I am the student of this type.

function Login_post ($url, $cookie, $post) {$ch = Curl_init ();        curl_setopt ($ch, Curlopt_url, $url);        curl_setopt ($ch, Curlopt_header, 0);  curl_setopt ($ch, curlopt_returntransfer,1);  Do not automatically output data, to echo only line curl_setopt ($ch, curlopt_followlocation, 1);        Important, grab data curl_setopt after jump ($ch, Curlopt_cookiefile, $cookie);  curl_setopt ($ch, Curlopt_referer, ' http://jwgl.hbpu.edu.cn/');  Important, 302 jumps need referer, can find curl_setopt in Request headers ($ch, Curlopt_postfields, $post);        Post submission Data $result =curl_exec ($ch);        Curl_close ($ch);    return $result; } $xh = ";//Here manually enter the number, online after the $_post to get $PW =";//here manually enter the password, on-line through the $_post to get $code = file_get_contents ("Code.txt");//The Verification code entered This method is used to remove the verification code $cookie = dirname (__file__) after Code.txt. '/cookie/'. $_session[' id '].  TXT ';//Remove Cookie $url = "http://jwgl.hbpu.edu.cn/default2.aspx";    Academic Office Address $con 1=login_post ($url, $cookie, '); Preg_match_all ('/<input type= ' hidden "name=" __viewstate "value=" ([^<>]+) "\/>/", $con 1, $view); Gets the __viewstate field coexisting into the $view array $post =array (' __viewstate ' = = $view [1][0], ' txtusername ' = $xh, ' T ExtBox2 ' + $PW, ' txtsecretcode ' + $code, ' RadioButtonList1 ' = '%d1%a7%c9%fa ',//' Student ' GBK code ' Bu    Tton1 ' = ' and ', ' lblanguage ' = ', ' and ', ' Hidpdrs ' and ', ' hidsc ' = '; $con 2=login_post ($url, $cookie, Http_build_query ($post)); Concatenate an array into a string

Here we can access our PHP files, if your content is as follows, then congratulations, you have successfully landed on the square.

3. Realization of access to the timetable function

As already said, we even successfully landed, can not carry out the function inside the operation, because each plate needs different parameters, or different request address, so I here to introduce a performance of access to a function.

To get to the score query section, let's look at the request address and parameters.

The parameters are as follows:

These parameters, you should be able to understand, the only one is GNMKDM, the content of this parameter is a randomly generated string, not a required parameter. Several of the other previous ones have basically been talked about, and the _veiwstate is the same as the method previously acquired. The code is given below.

Preg_match_all ('/<span id= ' XHXM ' > ([^<>]+)/', $con 2, $XM);  The regular out data is stored in the $XM array $xm [1][0]=substr ($xm [1][0],0,-4); String interception, get the name//splicing of the required access to the URL, we need to get which URL to splice the full URL, here is the URL to get results//And if you need to get other data, go to the official website to find his URL, see what Parameters $url 2= "Http://jwgl . hbpu.edu.cn/xscj_gc.aspx?xh= ". $xh."    &xm= ". $XM [1][0];    $viewstate =login_post ($url 2, $cookie, ");    Preg_match_all ('/<input type= ' hidden "name=" __viewstate "value=" ([^<>]+) "\/>/', $viewstate, $vs);  $state = $vs [1][0];           $state the __viewstate//page for a post will have different parameter requests, depending on the situation, send different parameters $post =array (' __eventtarget ' = ', ' __eventargument ' = ', ' __viewstate ' and ' $state, ' hidlanguage ' and ', ' ddlxn ' and ' 2016 -2017 ',//Current school year ' DDLXQ ' + ' 1 ',//Current semester ' ddl_kcxz ' + ', ' Button1 ' + '%b0%b4%d1%a7%c6%d    A%b2%e9%d1%af '//"semester results" of GBK code, as the case will be);    $content =login_post ($url 2, $cookie, Http_build_query ($post)); Echo $content;

Well, the code is done, and if your page is shown below, then you are successful.

4. Summary

In fact, when landing the trouble some, in the future, must be two parameters of the cookie and _viewstate, the other parameters on their own go to each post request to see, and then according to the request format combination of the line, the above code run up will not error, Students copy down to run a look. But after a few years to see the square will not fix the loopholes, before looking at other blog time interval is too long, so write a 18-year, if there are not understand the place you can private message me, or comment area messages, welcome to discuss.

5. About CSRF

The so-called CSRF, that is, cross-site forgery, that is, someone else stole your identity to send a request to the server, before the mention of a request message header Referer is to defend the attack, meaning that if we want to successfully login to the square educational system, we must go through the login interface of the page to jump over, This means that the address before the jump must be http://jwgl.hbpu.edu.cn/. When you test with your own university's educational system, because this address is my university's educational system, through my school number password to successfully landing. Finally posted a piece about the CSRF attack blog, a big guy wrote. Describe csrf in detail. (Click the link below)
CSRF attack

PHP Simulation Landing Square Educational System (2018)

This article mainly introduces the realization of the square educational system through the PHP Curl Library, because the square educational system may have some updates every year, so this article is for 2018, introduced some of the method of simulating landing square.

1. Save the Verification code and cookie for the login interface

The contents are as follows

We can see such a request, from the name can be seen that this is the page verification code, is to access the login interface from the square server back. I refer to other big guy's blog that can intercept the verification code, do not need to lose, but I test a few times the discovery does not work, so I feel that the square should be fixed this bug, so we have to honestly lose a verification code.

It is also important to note that there is a parameter cookie, which is returned every time the page is accessed, but only if the cookie is valid after the login is successful, so we need to save this cookie, This cookie is necessary because all of the operations we do in the academic administration will validate this cookie, which is equivalent to authentication.

Below I use PHP to save cookies and verification code locally.

    Session_Start ();    $id =session_id ();    $_session[' id ']= $id;    $cookie = DirName (__file__). '/cookie/'. $_session[' id ']. TXT '; Cookie path, which writes a cookie to a file    $verify _code_url = "http://jwgl.hbpu.edu.cn/CheckCode.aspx";//CAPTCHA address    $curl = Curl _init ();    curl_setopt ($curl, Curlopt_url, $verify _code_url);    curl_setopt ($curl, Curlopt_cookiejar, $cookie);  Save Cookie    curl_setopt ($curl, Curlopt_header, 0);    curl_setopt ($curl, Curlopt_returntransfer, 1);    $img = curl_exec ($curl);  Perform Curl    curl_close ($curl);    $fp = fopen ("Verifycode.jpg", "w");  File name    fwrite ($fp, $img);  Write file    fclose ($fp);    echo "Verification code check out completed, is sleeping, 15 seconds please fill in the Verification code code.txt and save \ n";    Stop running for 15 seconds    Sleep (15);

Students who are familiar with PHP should be able to read the meaning of this code. First we create a session, we save each cookie in the folder, we access the domain name to obtain the cookie and return the verification code. The manual fill of the verification code is we create a code.txt file, we see the verification code in the folder after the image manually written in the Code.txt file, 15 seconds later we will send a request to the square server.

2. Find the server that sent the request and the required parameters

Can see a POST request, where we should note that a message header is Referer, the purpose of this message header is to prevent csrf, as for CSRF, I will explain at the end. Here's a look at the Post parameters:

Most of the parameters should be guessed, the parameters of the empty content I will not say more, need to say that the point is _viewstate and RadioButtonList1.
The first parameter is the state of the current page, this string is to verify that we come from the login interface, this parameter in the login page of the source code, we pass it out by the regular.
The second parameter is the type of the button, the content is a GBK encoded, I this type is student.

function Login_post ($url, $cookie, $post) {$ch = Curl_init ();        curl_setopt ($ch, Curlopt_url, $url);        curl_setopt ($ch, Curlopt_header, 0);  curl_setopt ($ch, curlopt_returntransfer,1);  Do not automatically output data, to echo only line curl_setopt ($ch, curlopt_followlocation, 1);        Important, grab data curl_setopt after jump ($ch, Curlopt_cookiefile, $cookie);  curl_setopt ($ch, Curlopt_referer, ' http://jwgl.hbpu.edu.cn/');  Important, 302 jumps need referer, can find curl_setopt in Request headers ($ch, Curlopt_postfields, $post);        Post submission Data $result =curl_exec ($ch);        Curl_close ($ch);    return $result; } $xh = ";//Here manually enter the number, online after the $_post to get $PW =";//here manually enter the password, on-line through the $_post to get $code = file_get_contents ("Code.txt");//The Verification code entered This method is used to remove the verification code $cookie = dirname (__file__) after Code.txt. '/cookie/'. $_session[' id '].  TXT ';//Remove Cookie $url = "http://jwgl.hbpu.edu.cn/default2.aspx";    Academic Office Address $con 1=login_post ($url, $cookie, '); Preg_match_all ('/<input type= ' hidden "name=" __viewstate "value=" ([^<>]+) "\/>/", $con 1, $view); Gets the __viewstate field coexisting into the $view array $post =array (' __viewstate ' = = $view [1][0], ' txtusername ' = $xh, ' T ExtBox2 ' + $PW, ' txtsecretcode ' + $code, ' RadioButtonList1 ' = '%d1%a7%c9%fa ',//' Student ' GBK code ' Bu    Tton1 ' = ' and ', ' lblanguage ' = ', ' and ', ' Hidpdrs ' and ', ' hidsc ' = '; $con 2=login_post ($url, $cookie, Http_build_query ($post)); Concatenate an array into a string

Here we can access our PHP files, if your content is as follows, then congratulations, you have successfully landed on the square.

3. Realization of access to the timetable function

As already said, we even successfully landed, can not carry out the function inside the operation, because each plate needs different parameters, or different request address, so I here to introduce a performance of access to a function.

To get to the score query section, let's look at the request address and parameters.

The parameters are as follows:

These parameters, you should be able to understand, the only one is GNMKDM, the content of this parameter is a randomly generated string, not a required parameter. Several of the other previous ones have basically been talked about, and the _veiwstate is the same as the method previously acquired. The code is given below.

Preg_match_all ('/<span id= ' XHXM ' > ([^<>]+)/', $con 2, $XM);  The regular out data is stored in the $XM array $xm [1][0]=substr ($xm [1][0],0,-4); String interception, get the name//splicing of the required access to the URL, we need to get which URL to splice the full URL, here is the URL to get results//And if you need to get other data, go to the official website to find his URL, see what Parameters $url 2= "Http://jwgl . hbpu.edu.cn/xscj_gc.aspx?xh= ". $xh."    &xm= ". $XM [1][0];    $viewstate =login_post ($url 2, $cookie, ");    Preg_match_all ('/<input type= ' hidden "name=" __viewstate "value=" ([^<>]+) "\/>/', $viewstate, $vs);  $state = $vs [1][0];           $state the __viewstate//page for a post will have different parameter requests, depending on the situation, send different parameters $post =array (' __eventtarget ' = ', ' __eventargument ' = ', ' __viewstate ' and ' $state, ' hidlanguage ' and ', ' ddlxn ' and ' 2016 -2017 ',//Current school year ' DDLXQ ' + ' 1 ',//Current semester ' ddl_kcxz ' + ', ' Button1 ' + '%b0%b4%d1%a7%c6%d    A%b2%e9%d1%af '//"semester results" of GBK code, as the case will be);    $content =login_post ($url 2, $cookie, Http_build_query ($post)); Echo $content;

Well, the code is done, and if your page is shown below, then you are successful.

4. Summary

In fact, when landing the trouble some, in the future, must be two parameters of the cookie and _viewstate, the other parameters on their own go to each post request to see, and then according to the request format combination of the line, the above code run up will not error, Students copy down to run a look. But after a few years to see the square will not fix the loopholes, before looking at other blog time interval is too long, so write a 18-year, if there are not understand the place you can private message me, or comment area messages, welcome to discuss.

5. About CSRF

The so-called CSRF, that is, cross-site forgery, that is, someone else stole your identity to send a request to the server, before the mention of a request message header Referer is to defend the attack, meaning that if we want to successfully login to the square educational system, we must go through the login interface of the page to jump over, This means that the address before the jump must be http://jwgl.hbpu.edu.cn/. When you test with your own university's educational system, because this address is my university's educational system, through my school number password to successfully landing. Finally posted a piece about the CSRF attack blog, a big guy wrote. Describe csrf in detail. (Click the link below)
CSRF attack.