News:

MASM32 SDK Description, downloads and other helpful links
MASM32.com New Forum Link
masmforum WebSite

hyperlink and logging in

Started by Klod, June 10, 2007, 10:35:51 PM

Previous topic - Next topic

drizz

Quote from: Klod on June 12, 2007, 07:58:48 PMWhat I try to acomplish is to logi with username and password to a server on the internet from my proggie written in asm.

i'll try to explain by using masm32 login as an example.

web based logins have some form elements that use methods POST,GET for submiting data.

by viewing html source of "http://www.masm32.com/board/index.php" we see
<form action="http://www.masm32.com/board/index.php?action=login2" method="post" style="margin: 3px 1ex 1px 0; text-align:right;">
<input type="text" name="user" size="10" /> <input type="password" name="passwrd" size="10" />
<select name="cookielength">
<option value="60">1 Hour</option>
<option value="1440">1 Day</option>
<option value="10080">1 Week</option>
<option value="302400">1 Month</option>
<option value="-1" selected="selected">Forever</option>
</select>
<input type="submit" value="Login" /><br />
Login with username, password and session length
</form>

when you press "Login" button, your browser submits data to "action" defined in the form.
http://www.masm32.com/board/index.php?action=login2&user=drizz&passwrd=***&cookielength=-1
(*** is not the pass of course, it must be replaced)

-> try to logout and then login just by pasting your url in address field of the browser:
http://www.masm32.com/board/index.php?action=login2&user=Klod&passwrd=***&cookielength=-1

the form on your server might also have hidden type of form elements which must also be encoded.

remember that special characters must be url-encoded

therefore you start by experimenting with your browser on your server as described above,
logging in by using address bar, when that works you can use the example ragdog provided.

reading material:
http protocol:
http://www.w3.org/Protocols/HTTP/HTTP2.html
form submission
http://www.w3.org/MarkUp/html-spec/html-spec_toc.html#SEC8.2
url encoding:
http://www.permadi.com/tutorial/urlEncoding/
http://www.w3.org/Addressing/URL/url-spec.html

programs:
packet analyzer: http://www.ethereal.com/
EDIT: almost forgot a great program local proxy: http://www.proxomitron.info/
The truth cannot be learned ... it can only be recognized.

drhowarddrfine

Well, the form submission link above is for html2 but we're on html4.01 now.  Here is the link for that. 

Also, http2.0 is not ready for prime time yet.  The current, stable version used is http1.1 which is here.

drizz

thanks for the correction drhowarddrfine, i just copy&pasted from google without looking. :red
The truth cannot be learned ... it can only be recognized.

Klod

Thank you all for contributing.
I realize that there is a lot of material to read and study. I started but...:dazzled:
drizz your example is very helpful in learning and I was able to make it work with some simple websites.
However, it dont work with my server problem, which uses secure logon. I decided to post the source code for it here, but I changed the company name and the URL, to respect the companies privacy. I hope someone may help me decipher the meaning of its sintax :bg

Quote
<html>
<head>

   <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
   <title>Web Single Login</title>
   <link rel="stylesheet" type="text/css" href="/css/styles-wslx.css">
   <script>
      <!-- to hide script contents from old browsers 
       function validateForm(form)
         {
             if (document.forms[0].userid.value.length == 0 || document.forms[0].userid.value.length < 3) {
                 alert( "\nInvalid USER ID entry.\nEnter end user's USER ID in the box.");
                 return false;
                 }
             if (document.forms[0].password.value.length == 0) {
                 alert("You must enter a password.");
                 return false;
                }
          
            // determine if user is internal
            // and is authenticating via securID
         
            if ( (!validateUserID(form)) && (validatePasscode(form))) {
               
                  var cdsid = escape(document.forms[0].userid.value);
                  var passwd = escape(document.forms[0].password.value);
                  // if so then get args for WslIP and back and issue them as cookies
                  var argx = getArgs();
                  if (argx.back)
                  {
                     var x = String(argx.back);
                     document.cookie = "back="+ escape (x)+ "; domain=dealerconnection.com; path=/";      
                  }
                  if (argx.WslIP)
                  {
                     var y = String(argx.WslIP);
               
                     document.cookie = "WslIP="+ escape (y)+ "; domain=dealerconnection.com; path=/";
                  }
                     document.forms[0].action =  "https://www.secureauthx.connection.com/XXX.cgi";   
               }   
            
               else {
                  document.forms[0].action = 'auth.cgi';         
               }
            
               return true;         
         }


         function validateUserID(form)
         {
            //determine if userid is internal or external

              var reUser = /^\w-\w{1,8}$/;
              if (reUser.test(document.forms[0].userid.value)) {
               return true;
            }
              return false;
         }

         function validatePasscode(form)
         {
            //determine if passcode is valid SecurID format

              var rePasscode = /^\d{8,16}$/;
              if (rePasscode.test(document.forms[0].password.value)) {
               return true;
            }
              return false;
         }
      
       function getArgs()
         {
            //get variables from query string
            var args = new Object();
            var query = location.search.substring(1); //Get query string
            
            
            var regExp = /(WslIP=\d+\.\d+\.\d+\.\d+)&(back=.+)/;
            var result = query.match(regExp);
            
            if (result != null){
               var pairs = new Array();
               pairs[0] = (result[1]);
               pairs[1] = (result[2]);
            }
            
            else {
               var regExp2 = /(back=.+)/;
               var result2 = query.match(regExp2);
               
               if (result2 != null){
                  var pairs = new Array();
                  pairs[0] = (result2[1]);
                  //alert (pairs[0]);
               }
               
               else {
                  return false;
               }

            }

            //var pairs = query.split("&");   //Break at ampersand
            for (var i=0; i<pairs.length; i++) {
               var pos = pairs.indexOf("="); //look for name=value
               if (pos == -1) continue;  //if not found skip
               var argname = pairs.substring(0,pos); //get name
               var value = pairs.substring(pos+1); //get value
               args[argname] = unescape(value); //store as property
               //alert (value);

            }
            return args;
         }
         
   
       function checkCookieId () {
          // only execute if the login form is displayed on the page
         if (document.forms[0]) {
            if (getCookie("CDSID") != "")  {
               if (document.forms[0].userid.value == "") {
                      document.forms[0].userid.value = getCookie("CDSID");
                }
               document.forms[0].password.focus();
            }           
            else {
                document.forms[0].userid.focus();
            }   
         }
      }
   
       function getCookie (Name) {
          var search = Name + "="
          if (document.cookie.length > 0) {
             offset = document.cookie.indexOf(search)
             if (offset != -1) {
                offset += search.length
                end = document.cookie.indexOf(";", offset)
                if (end == -1)
                   end = document.cookie.length
                return unescape(document.cookie.substring(offset, end))
             }
          }
          return ""
       }
   
       function checkUserId() {
          if( document.forms[0].userid.value.length < 3 ) {
             alert( "\nInvalid USER ID entry.\nEnter end user's USER ID in the box.");
             document.forms[0].userid.focus();
             return false;
          }
          return true;
       }

        function mypopup(URL)
        {
          //set the name of the Window
          window.name="base";
         
          //open a new window to display URL
          window.open(URL,"myhelp","toolbar=no,location=no,directories=no,status=no, scrollbars=yes,resizable=yes,copyhistory=no");
        }
       
   // end hiding contents from old browsers -->
</script>
</head>


<body onload="checkCookieId()" id="DEALER-WSLXloginBody" MARGINWIDTH=0 MARGINHEIGHT=0 TOPMARGIN=0 LEFTMARGIN=0 >
<table BORDER="0" WIDTH="100%" CELLSPACING="0" CELLPADDING="0"><tr BGCOLOR="#0066FF"><td align=right>&nbsp;<A HREF="JavaScript:mypopup('wslx_help.jsp')"><img src="/img/helpoff.gif"></A></td></tr></table>
<table cellSpacing="0" cellPadding="0" border="0" width="100%">
   <tr>   
      <td width="100%">
          <CENTER>
         <table id="DEALER-WSLXHeaderBodyFooter" border="0" width="100%">
            <tr id="DEALER-WSLXHeader">
               <td>
                  <br>
                  <div id="DEALER-WSLXloginHeaderText1">
                     <br><h1 align="center">Secure Web Logon</h1><hr>
                  </div>
                  <div id="DEALER-WSLXloginHeaderText2">
                     <br><TABLE BORDER=3 WIDTH="60%" CELLPADDING=10 align=center><TR><TD><B>
                        By logging into this site, I agree to the following terms and conditions: <br>XXX Company owns all rights to this work and intends to maintain it in confidence to preserve its trade secret status.  Those having access to this work may not copy or print it, except for use within their own dealerships, or disclose the information contained in it without the written authorization of XXXCompany.
                        </B></TD></TR></TABLE>
                  </div>
                  <div id="DEALER-WSLXloginHeaderText3">
                     <H3 ALIGN="center">Enter your userid and password to login</H3>
                     <!--< if(usingFEDS) {%>
                        <H3 ALIGN="center"><=ml.getMessage("DEALER-WSLXloginHeaderText3b")%></H3>
                     < } else { %>
                        <H3 ALIGN="center"><=ml.getMessage("DEALER-WSLXloginHeaderText3a")%></H3>
                     < } %>-->
                  </div>
               </td>
            </tr>
            <tr id="DEALER-WSLXBody">
               <td>
                  <FORM name="logonForm" method="post" onSubmit="return validateForm(this.form);">
                  <table align="center">
                    <tr>
                      <th id="DEALER-WSLXloginUserIdLabel" width="30%">USERID:</th>
                      <td>
                         <input id="DEALER-WSLXloginUserIdInput" name="userid" size="10" maxlength="8"
                            value="" onchange="checkUserId()">
                      </td>
                    </tr>
                    <tr>
                      <th id=DEALER-WSLXloginPasswordLabel width="30%">PASSWORD:</th>
                      <td><input id=DEALER-WSLXloginPasswordInput name="password" size="10" type="password"></td></tr>
                    <tr>
                      <td>
                      </td>
                      <td>
                        <div id="DEALER-WSLXloginWSLSubmitButton">
                           <input type="submit" value="Login" >
                       </div>
                      </td>
                    </tr>
                     <!--Extra hidden parameters-->                      
                        <input type="hidden" name="WslIP" value="XX.XXX.XXX.XXX">
                      
                        <input type="hidden" name="back64" value="aHR0cHM6Ly93d3cuaW5mb3JkLmRlYWxlcmNvbm5lY3Rpb24uY29tLw==">
                      
                  </table>
                  </FORM>
               </td>
            </tr>

            <tr id="DEALER-WSLXFooter">
               <td> <br>
                  <div id="DEALER-WSLXloginFooterText1">
                     <center><b>NOTE: PLEASE DO NOT SHARE YOUR USER ID OR PASSWORD WITH ANYONE</b></center>
                  </div>
                  <br>
                  <!--<div id="DEALER-WSLXloginFooterContact">
                     <a id="DEALER-WSLXloginFooterContactRef" href="DEALER-WSLXloginFooterContactRef">
                     IT Security &amp; Controls
                     </a>
                  </div>
                  <div id="DEALER-WSLXloginFooterCopyRight">
                     Copyright © 1996 - 2006<br>
                     XXXCompany.<br>
                     All Rights Reserved.
                  </div>   -->            
               </td>
            </tr>
         </table>
         </CENTER>
      </td>
   </tr>
</table>

</body>

</html>
Quote

u

Which basically means that you should've concentrated on making the Mouse movement, as I said :P
Please use a smaller graphic in your signature.

drizz

Quote from: Klod on June 14, 2007, 03:21:32 AMHowever, it dont work with my server problem, which uses secure logon. I decided to post the source code for it here, but I changed the company name and the URL, to respect the companies privacy. I hope someone may help me decipher the meaning of its sintax :bg
i have found the site - mad skills :) - don't worry i will not reveal it
https://www.xxxxxx.xxxx.com/login.cgi?userid=x%2Dxxxxxxxx&password=00000000
try it out. (you can try with or without IP &WslIP=xxx.xxx.xxx.xxx)

and don't forget what i said about trying/using wininet!!!

How to simulate a Form POST request by using WinInet
http://msdn.microsoft.com/isapi/gosupport.asp?TARGET=/?kbid=165298
How To Make SSL Requests Using WinInet
http://support.microsoft.com/kb/168151
The truth cannot be learned ... it can only be recognized.

drhowarddrfine

QuoteI hope someone may help me decipher the meaning of its sintax
Which part do of all that do you need help with? 

thomas_remkus

This really goes against MASM but it works for me.

You can use VB6 and drop the IE browser control on a Form. The control will delivery messages to you to tell you it's complete and such. That's easy. So you just say "WebControl1.Navigate 'www.google.com'" and it goes there. When it's complete (because you get the event) you then can use the "WebControl1.Document.All..." and use standard DOM methods to control the entire interface. You can set text values, read values, and you can tell it to click on your Submit button.

I have no idea how to do this with MASM as all the COM and such are just so hard for me without Microsoft's extensions to help. This method does work and I use this as a normal method to run test scripts on web pages and for scraping content.

Sorry I did not have a MASM solution for you.

Klod

Thanks drizz for your help. However it still don't work. Thanks for the links. I looked up the information, but will have to spend more time learning about the topics.

To drhowarddrfine The part I have difficulty with is this:
The way I understand the subject, correct me if I'm wrong, is basically to to encode a string containing all the information needed to be passed to the server, much in the same way as the command line and its arguments under Windows/Dos.
The login page contains of 2 text boxes and a button. Textbox1 = userid, Textbox2 = password and the button will execute an action, in this case will fire the contents of the form to a different page for processing the login.
The example from drizz shows how the different elements for a login come from information contained in the pages source.
My login page is different, it uses a script to handle the login process and uses different syntax. Functions instead of actions??? The notation looks a bit like vb.
The parts I have trouble with is the %2D,?,& + etc URL codes. I found a list in one of the pages referred to by drizz. But I can't figure out how do derive from the source which one to use where.
Also, there are hidden parameters involved and the handling of cookies. reading through the script, I get the feeling, that somehow there is a cookie involved in the logging process.

To Ultrano :"Which basically means that you should've concentrated on making the Mouse movement, as I said".
I have tried that but came to realize that I did not really know what I was doing. The login page loads and the cursor is placed in the userid field. I assumed, If I could get a handle to the foreground window, I could auto type or put a string at the cursor position. I will have to experiment with your approach some more. Pointers are needed tough.

To thomas_remkus, I don't have VB6. However, I think there is a ie control in radasm. I will try this out.

Once more, to all of you who have contributed, many thanks.

drhowarddrfine

Yes.  It's javascript and submits the data with the onSubmit function which is built into a browser.  All the form data will be sent as part of the http header.  There will be Content-Type, Content-Length and the POSTDATA which will be sent as 'name=yourname&password=yourpassword' etc.