Objective:
Some websites to log in with the previous blog park and token login will not be the same, put Csrftoken into a cookie, before and after the login cookie is no change, in this case how to bypass the front-end verification code login?
First, before and after the comparison
1. If the login page has a graphics verification code, this is generally the way to bypass login, such as through packet analysis, first do not enter the password, grab the packet
(Because this is the company's internal Web site, so the URL can not be open, only to provide solutions to the problem of ideas)
2. Enter your account and password in the login page after manual login, the following information is captured
The cookie information after the capture has not changed before and after the login, there are three main parameters:
--businessusername: This is the account name
--jsessionid: This is a string of strings, mainly see this will not change (usually have a valid) copy out on the line
--csrftoken: This is a string of strings, mainly see this will not change (usually have a valid) copy out on the line
Second, GET request
1. A GET request like this sign-in method, the request header cookie does not change, this can ignore login directly, do not need to control the login process, directly send the request on the line
12. Code implementation2 #Coding:utf-83 ImportRequests4 #Coupon List5URL ='http://xxx/xxx/coupon/list'6h = {7 "user-agent":"mozilla/5.0 (Windows NT 10.0; WOW64; rv:44.0) gecko/20100101 firefox/44.0",8 "Accept":"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",9 "Accept-language":"zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3",Ten "accept-encoding":"gzip, deflate", One "Cookies":"csrftoken=xxx (Copy the information of the grab packet); JSESSIONID=XXX (Copy the information of the grab packet); Businessusername= (user name)", A "Connection":"keep-alive" - } -r = Requests.get (URL, headers=h) the PrintR.content
Third, POST request to encounter pit
1.post request can also ignore the login process, the direct grab packet three parameters in the cookie (Businessusername, Jsessionid, Csrftoken) added to the head is also possible.
2. But here comes a pit: Redirect to login page with composer request
3. Main reason: Redirect request, cookie parameter missing
Four, redirect
1. To solve the above problem, it is very simple, the redirection is disabled (specific to the 2.8 redirect location) after the link to obtain, re-send a GET request, the head with the three parameters of the cookie on the line
1 #Coding:utf-82 ImportRequests3 #mainly post request redirection, Cookie lost, so go back to the login page4 #workaround, disable redirection, get redirected URLs, resend redirected URL address requests on the line5 6 #three main parameters7Csrftoken ='get to the Csrftoken, generally have the validity of the'8Jsessionid ='get to the Jsessionid'9UserName ='User name'Ten One AURL ='http://xxx/xxxx/update' -H1 = { - "user-agent":"mozilla/5.0 (Windows NT 6.1; WOW64; rv:46.0) gecko/20100101 firefox/46.0", the "Accept":"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", - "Accept-language":"zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3", - "accept-encoding":"gzip, deflate", - "Cookies":"csrftoken=%s; jsessionid=%s; businessusername=%s"%(Csrftoken, Jsessionid, userName), + "Connection":"keep-alive", - "Content-type":"application/x-www-form-urlencoded", + "Content-length":" the" A } at -BODY = {"Instantmessageid":" About", - "name": U"haha 1", - "Order":"", - "Csrftoken": Csrftoken, - "type":"QQ", in " Account":"1001"} - tos =requests.session () +R1 = s.post (URL, headers=h1, Data=body, allow_redirects=False) - PrintR1.status_code the #gets the URL address of the redirect *Redirect_url = r1.headers[" Location"] $ PrintRedirect_urlPanax Notoginseng -H2 = { the "user-agent":"mozilla/5.0 (Windows NT 6.1; WOW64; rv:46.0) gecko/20100101 firefox/46.0", + "Accept":"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", A "Accept-language":"zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3", the "accept-encoding":"gzip, deflate", + "Cookies":"csrftoken=%s; jsessionid=%s; businessusername=%s"%(Csrftoken, Jsessionid, userName), - "Connection":"keep-alive" $ } $r2 = S.get (Redirect_url, headers=H2) - PrintR2.content
Python Interface Automation 12-case Study (Csrftoken)