0
Yesterday I did this question here in the Sopt, I am now following what the Inkeliz Said:
Cookies will only be obtained if you make the request using login/password. To do this just enter the Twitter page see what is the URL called (ie F12 > Network) and request using Curl, it is able to send the same information to the browser. The official Twitter API does not use cookies, because getting other people’s login/password is not safe, so there is Oauth, officially made available by Twitter.
The question is, how can I do this? Could I do it using Twitteroauth?
Someone would give an example of how to make this request, using F12 > Tetwork?
My authentication code is this:
<?php
class Auth {
public function signedIn() {
if (isset($_SESSION['twitter_access_token'])) {
$access_token = $_SESSION['twitter_access_token'];
$connection = new TwitterOAuth(CONSUMER_KEY, CONSUMER_SECRET, $access_token['oauth_token'], $access_token['oauth_token_secret']);
$user = $connection->get('account/verify_credentials');
return $user;
}
return false;
}
public function getAuthUrl() {
$connection = new TwitterOAuth(CONSUMER_KEY, CONSUMER_SECRET);
$request_token = $connection->getRequestToken(OAUTH_CALLBACK);
if($request_token){
$token = $request_token['oauth_token'];
$_SESSION['oauth_token'] = $token ;
$_SESSION['oauth_token_secret'] = $request_token['oauth_token_secret'];
$auth_url = $connection->getAuthorizeURL($token);
}
return $auth_url;
}
public function getAccessToken() {
$request_token = [];
$request_token['oauth_token'] = $_SESSION['oauth_token'];
$request_token['oauth_token_secret'] = $_SESSION['oauth_token_secret'];
if (isset($_GET['oauth_token']) && $request_token['oauth_token'] !== $_GET['oauth_token']) {
die('Error: Something went wrong...');
}
$connection = new TwitterOAuth(CONSUMER_KEY, CONSUMER_SECRET, $request_token['oauth_token'], $request_token['oauth_token_secret']);
$access_token = $connection->getAccessToken($_REQUEST['oauth_verifier']);
if (empty($access_token)) {
die('Error: Invalid access token...');
}
return $access_token;
}
public function logout() {
session_destroy();
header('Location:' . URL_BASE);
}
}
The question now is as follows, how to obtain the data by comparing user = oauth_token
and password = oauth_token_secret
and confirm on the form?
<form method="post">
<div class="form-group">
<input type="text" name="ttrUsername" placeholder="Usuário do Twitter" class="form-control">
</div>
<div class="form-group">
<input type="password" name="ttrPassword" placeholder="Senha do Twitter" class="form-control">
</div>
<button type="submit" name="ttrSignin" class="btn btn-primary btn-block">
<i class="fa fa-twitter"></i> Entrar agora
</button>
</form>
This is my form:
I got the following cURL
curl "https://twitter.com/"
-H "accept-encoding: gzip, deflate, br"
-H "accept-language: pt-BR,pt;q=0.8,en-US;q=0.6,en;q=0.4"
-H "upgrade-insecure-requests: 1"
-H "user-agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.109 Safari/537.36"
-H "accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8"
-H "cache-control: max-age=0"
-H "authority: twitter.com"
-H "cookie: guest_id=v1^%^3A149848156157534036; privacy_2017=1; lang=pt; eu_cn=1; ct0=3dae64dcfd1d4e31e6b9f749eaff5f1c; _gat=1; ads_prefs=^\^"HBERAAA=^\^"; kdt=6F5z2H1dYzkK2dxVkhDommOOBWmYJiXTdCCbRZGE; remember_checked_on=1; twid=^\^"u=866687457990979584^\^"; auth_token=115ba1614d21781e601769c512a48bccc7bda89b; _ga=GA1.2.1124081759.1498481564; _gid=GA1.2.126286429.1498481564; _twitter_sess=BAh7CiIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo^%^250ASGFzaHsABjoKQHVzZWR7ADoPY3JlYXRlZF9hdGwrCOgPduRcAToMY3NyZl9p^%^250AZCIlZWM4NWI1ZTZiMDk5Yzg4MDZmM2NhNGE4MTA5MGZmODY6B2lkIiVlM2I4^%^250AMTRmNDA4NTZlYTkyYzI1Y2Y3NDE1NTE2ZjYwYjoJdXNlcmwrCQCw1rCmFwcM--b7e62a94a232a36015e8959d2391af44b9b2b753"
-H "referer: https://twitter.com/login/error?redirect_after_login=^%^2F" --compressed
I made the following scheme, and is returning the twitter login page:
<?php
# First call gets hidden form field authenticity_token
# and session cookie
$ch = curl_init();
$sTarget = "https://twitter.com/";
curl_setopt($ch, CURLOPT_URL, $sTarget);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
curl_setopt($ch, CURLOPT_USERAGENT, $_SERVER['HTTP_USER_AGENT']);
curl_setopt($ch, CURLOPT_COOKIEFILE, "/tmp/cookie.txt");
curl_setopt($ch, CURLOPT_REFERER, "https://twitter.com/");
$html = curl_exec($ch);
# parse authenticity_token out of html response
preg_match('/<input type="hidden" value="([a-zA-Z0-9]*)" name="authenticity_token"\/>/', $html, $match);
$authenticity_token = $match[1];
$username = "[email protected]";
$password = "password";
# set post data
$sPost = "session[username_or_email]=$username&session[password]=$password&return_to_ssl=true&scribe_log=&redirect_after_login=%2F&authenticity_token=$authenticity_token";
# second call is a post and performs login
$sTarget = "https://twitter.com/sessions";
curl_setopt($ch, CURLOPT_URL, $sTarget);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $sPost);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, false);
curl_setopt($ch, CURLOPT_HTTPHEADER, array("Content-type: application/x-www-form-urlencoded"));
# display server response
curl_exec($ch);
curl_close($ch);
?>
I think my comment answers all the questions. First, what I mean by "F12 > Network" is that you see how the request is made, then redo it on Curl, including Chrome allows you to copy to "Copy All as Curl". You can also use Burp Suite... Oauth does not use login/password, instead uses a "token". Well, I believe your problem is that you don’t understand the basics of how HTTP requests work. Besides, if you knew what Oauth was, you’d know he was was made not to use login/password.
– Inkeliz
Well, I understand the basics and yes, I know it was done not to use login/password. I just wanted to know a way, how to do it... an example of code... simple as...
– WillBB
Vish this screen is the biggest fishery! You can not ask the credentials for the user, this is phishing (for example this would give you the power to access your users' account). Log in to a website via twitter to understand - you type your credentials in the twitter.com popup and never on the site you belong to. See the Twitter documentation for this. https://dev.twitter.com/web/sign-in/implementing
– rodorgas
@rodorgas see, I edited the topic with the Curl that I picked with the tip of Inkeliz
– WillBB
Puts... changes your password bro, your twitter has been compromised. Do not put session cookie, this is secret. Seriously, read the charts, security is an area of computing that you can’t improvise.
– rodorgas
Rlx, this account is released for general use... I created it on purpose. I made it to test...
– WillBB
edited the topic.
– WillBB
@rodorgas, would be able to inform me, how to use these cookies to post as they did in my account?
– user76271
Because he posted his session cookie, whoever uses that cookie will hijack his session. See https://pt.wikipedia.org/wiki/Session_hijacking. You can change your session cookie in your browser settings.
– rodorgas
@rodorgas I got, it is possible to make some script to follow the cookies and sessions saved in my database?
– user76271