CSRF验证失败。使用CURL时(divar)

时间:2017-06-13 06:35:01

标签: php ssl curl csrf verification

我试图通过curl获取divar.com的内容,但错误" CSRF验证失败。请求已中止。"

浏览器请求

Accept:application/json, text/javascript, */*; q=0.01
Accept-Encoding:gzip, deflate, br
Accept-Language:en-US,en;q=0.8
Connection:keep-alive
Content-Length:107
Content-Type:application/x-www-form-urlencoded; charset=UTF-8
Cookie:did=MEcBYcwueB4uxA; submitButtonColor=green-colored;    _ga=GA1.2.835389468.1497328087; _gat=1;    csrftoken=9By33xqnFS5JH5qRHuDVyZg7ZU7M1b4Z; sessionid=q7sm28egcbdpuxrchfxgs01bqg6j1pfw
Host:divar.ir
Origin:https://divar.ir
Referer:https://divar.ir//guard/captcha_simple/?token=helper.py:wrapper_func
User-Agent:Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36
X-Requested-With:XMLHttpRequest

表格数据

captcha_input:649
guard_token:helper.py:wrapper_func
csrfmiddlewaretoken:9By33xqnFS5JH5qRHuDVyZg7ZU7M1b4Z

php Code

function getWebPageSsl( $url,$param=NULL )
{
    $headers[] = 'Accept:application/json, text/javascript, */*; q=0.01';
    $headers[] = 'Accept-Encoding:gzip, deflate, br';
    $headers[] = 'Accept-Language:en-US,en;q=0.8';
    $headers[] = 'Connection:Keep-Alive';
    $headers[] = 'Content-Type:application/x-www-form-urlencoded; charset=UTF-8';       
    $headers[] = 'Origin:https://divar.ir';     
    $headers[] = 'X-Requested-With:XMLHttpRequest';     

    $useragent = 'Mozilla/5.0 (iPhone; U; CPU iPhone OS 4_3_3 like Mac OS X; en-us) AppleWebKit/533.17.9 (KHTML, like Gecko) Version/5.0.2 Mobile/8J2 Safari/6533.18.5';
    $options = array(
        CURLOPT_HTTPHEADER      =>  $headers,
        CURLOPT_RETURNTRANSFER => true,     // return web page
        CURLOPT_POST           => ($param)?true:false,
        CURLOPT_ENCODING       => "",       // handle all encodings
        CURLOPT_USERAGENT      => $useragent, // who am i
        CURLOPT_CONNECTTIMEOUT => 120,      // timeout on connect
        CURLOPT_TIMEOUT        => 120,      // timeout on response
        CURLOPT_MAXREDIRS      => 10,       // stop after 10 redirects
        CURLOPT_SSL_VERIFYPEER => true,     // Disabled SSL Cert checks
        CURLOPT_SSL_VERIFYHOST => 1,

        CURLOPT_COOKIEJAR      => __DIR__.DIRECTORY_SEPARATOR.'cookies.txt',
        CURLOPT_COOKIEFILE     => __DIR__.DIRECTORY_SEPARATOR.'cookies.txt',
        CURLOPT_CAINFO          =>__DIR__.DIRECTORY_SEPARATOR.'CertumTrustedNetworkCA.crt',
        CURLOPT_REFERER         => 'http://www.google.com'
    );

    $ch      = curl_init();
    curl_setopt($ch,CURLOPT_URL, $url);
    curl_setopt_array( $ch, $options );

    curl_setopt($ch, CURLINFO_HEADER_OUT, true);

    if($param){

        curl_setopt($ch,CURLOPT_POST, strlen(json_encode($param)));

        curl_setopt($ch,CURLOPT_POSTFIELDS, json_encode($param));
    }       
    $content = curl_exec( $ch );
    $last = curl_getinfo($ch);
    curl_close( $ch );

    return $content;
}

响应curl_getinfo

array(27) {
  ["url"]=>
  string(38) "https://divar.ir/guard/captcha_simple/"
  ["content_type"]=>
  string(9) "text/html"
  ["http_code"]=>
  int(403)
  ["header_size"]=>
  int(288)
  ["request_size"]=>
  int(833)
  ["filetime"]=>
  int(-1)
  ["ssl_verify_result"]=>
  int(0)
  ["redirect_count"]=>
  int(0)
  ["total_time"]=>
  float(0.265)
  ["namelookup_time"]=>
  float(0)
  ["connect_time"]=>
  float(0.046)
  ["pretransfer_time"]=>
  float(0.171)
  ["size_upload"]=>
  float(107)
  ["size_download"]=>
  float(545)
  ["speed_download"]=>
  float(2056)
  ["speed_upload"]=>
  float(403)
  ["download_content_length"]=>
  float(-1)
  ["upload_content_length"]=>
  float(107)
  ["starttransfer_time"]=>
  float(0.265)
  ["redirect_time"]=>
  float(0)
  ["redirect_url"]=>
  string(0) ""
  ["primary_ip"]=>
  string(14) "79.175.191.253"
  ["certinfo"]=>
  array(0) {
  }
  ["primary_port"]=>
  int(443)
  ["local_ip"]=>
  string(11) "192.168.1.5"
  ["local_port"]=>
  int(56034)
  ["request_header"]=>
  string(726) "POST /guard/captcha_simple/ HTTP/1.1
User-Agent: Mozilla/5.0 (iPhone; U; CPU iPhone OS 4_3_3 like Mac OS X; en-us) AppleWebKit/533.17.9 (KHTML, like Gecko) Version/5.0.2 Mobile/8J2 Safari/6533.18.5
Host: divar.ir
Referer: http://www.google.com
Cookie: _ga=GA1.2.835389468.1497328087; _gat=1; csrftoken=N9CiDEDm1hPrbfrHBdAHDGGvloc1hyMC; did=ee2WWcXnUvswNA; sessionid=qe5zgp8mwh44pgc6tt0vnf06kvj08f71; submitButtonColor=green-colored
Accept:application/json, text/javascript, */*; q=0.01
Accept-Encoding:gzip, deflate, br
Accept-Language:en-US,en;q=0.8
Connection:Keep-Alive
Content-Type:application/x-www-form-urlencoded; charset=UTF-8
Origin:https://divar.ir
X-Requested-With:XMLHttpRequest
Content-Length: 107

"
}

但是我收到了这个错误:

禁止(403)

CSRF验证失败。请求中止。

2 个答案:

答案 0 :(得分:0)

将其添加到构造函数

$this->middleware('auth')->except('getWebPageSsl');

通过此,中间件不会尝试通过csrf令牌对您进行身份验证。 getWebPageSsl是php函数名。

答案 1 :(得分:0)

看起来,令牌是对的,没问题