[How To] Do logins using the WinHttpRequest COM

Helpful script writing tricks and HowTo's
Bruttosozialprodukt
Posts: 451
Joined: 24 Jan 2014, 22:28

[How To] Do logins using the WinHttpRequest COM

22 Jul 2014, 08:09

I just realized that the WinHttpRequest object has built in cookie handling. And since so many people had trouble doing logins using the WinHttpRequest COM and we always thought that this would be because of the cookies, I'm now giving you two working, very well explained login examples, as well as some tips on how to get started reverseengineering HTML / HTTP-Requests.

If you want to do complicated things like logins, then you should really learn some HTML and the basics about the HTTP protocol. Fiddler and SetProxy(2,"localhost:8888") will help you A LOT with the debugging. I also recommend using an add on for your browser to quickly clean your cookies.

To reverse engineer the AHK forum login I simply analyzed the browsers HTTP requests to autohotkey.com and by some trial and error I was able to minimize it to the basics. We need exactly two requests and the login needs one request headers and 3 POST data parameters.

So let's do this login to the AHK forums. (Note: the first example is about the forum on autohotkey.com)
Step 1. Do a simple GET request on http://www.autohotkey.com/board/index.php?app=core&module=global&section=login
Step 2. Extract the auth_key parameter form the login form from the response body (ResponseText)
Step 3. Create the POST data string containing the auth_key parameter as well as the username, password and rememberMe parameter for the login
Step 4. Set the Content-Type header for the next request
Step 5. Send the POST data string to http://www.autohotkey.com/board/index.php?app=core&module=global&section=login&do=process
Step 6. Analyze the response body checking if the HTML documents title starts with the words "Sign In". If so, then you're obviously not signed in (the login failed/wrong login data). If the title is different, then the login was successfull.

Code: [Select all] [Expand] [Download] (WinHttpRequest_Login_Example1.ahk)GeSHi © Codebox Plus


This will probably work for most IPB forums if change the URLs properly. For other sites this will be probably look very different.

But okay, let's do another login to the new/other AHK forum (this will be much easier).
Step 1. Create the POST data containing username, password and the autologin parameter
Step 2. Set the Content-Type header
Step 3. Send the POST data to http://ahkscript.org/boards/ucp.php?mode=login
Step 4. Analyze the response body checking if the HTML documents title starts with the word "Login". If so, then you're obviously not logged in yet (the login failed/wrong login data). If the title is different, then the login was successfull.

Code: [Select all] [Expand] [Download] (WinHttpRequest_Login_Example2.ahk)GeSHi © Codebox Plus


Any questions? I will try to answer them the next time I'm here. :)
You may also read the existing answers in this thread or the one on the other forum.
Last edited by Bruttosozialprodukt on 24 Jul 2014, 17:05, edited 4 times in total.
User avatar
tank
Posts: 2326
Joined: 28 Sep 2013, 22:15
Facebook: charlie.simmons.7334
Google: ttnnkkrr
GitHub: ttnnkkrr
Location: Louisville KY
Contact:

Re: [How To] Do logins using the WinHttpRequest COM

22 Jul 2014, 08:37

you know that once the auto login is set you should never need to log On again?
I understand the point of this thread is to help people understand how to create heep requests with no browser.
Content-Length isnt necesary it will be calculated automatically. For POST Content-Type IS required tho good job

If i see signs of abuse from logon scripts i may be forced to make changes that break this example without notice.

Finally i would like to offer encouragement. but there are many pitfalls to logon scripts because some sites require live data retreived by ajax call as part of submitted data. there is difficulty at times understanding what is being submitted and where. a took such as fiddler can help but there is a learning curve not to be ignored

now a challenge (hint: lexikos demonstrated this somewhere can you find it ?) use http://msdn.microsoft.com/en-us/library ... 32(v=vs.85).aspx
and demonstrate a binary file upload on a site like dropbox. and add it to this tutorial
We are troubled on every side‚ yet not distressed; we are perplexed‚
but not in despair; Persecuted‚ but not forsaken; cast down‚ but not destroyed;
https://www.facebook.com/ahkscript.org
If you have forum suggestions please submit a pull request
Bruttosozialprodukt
Posts: 451
Joined: 24 Jan 2014, 22:28

Re: [How To] Do logins using the WinHttpRequest COM

22 Jul 2014, 10:43

tank wrote:you know that once the auto login is set you should never need to log On again?
But since a session is terminated anyway when the script closes, this shouldn't be a problem right?
The option could help if you put your computer into sleep or hibernate without closing the script, so the script would still run if you turn on the computer 2 days later.
tank wrote:Content-Length isnt necesary it will be calculated automatically.
Good point, haven't thought about that!
tank wrote:If i see signs of abuse from logon scripts i may be forced to make changes that break this example without notice.
Sure, it's your forum. ;) In fact I think that you should definitely change the login/sign up so that standard phpBB spam bots can't login anymore.
tank wrote:some sites require live data retreived by ajax call as part of submitted data. there is difficulty at times understanding what is being submitted and where. a took such as fiddler can help but there is a learning curve not to be ignored
For these kinds of logins it can help a lot to learn javascript. The ajax function of jquery is pretty much based on XmlHttpRequest which is extremely similar (if not the same) as WinHttpRequest.
In rare cases (in some flash games) the http requests are actually sent through the swf files without any javascript.
For these cases you could learn some ActionScript and decompile the swf with one of the many decompilers available or you have to reverseengineer it by looking at Fiddler's log.

tank wrote:now a challenge (hint: lexikos demonstrated this somewhere can you find it ?) use http://msdn.microsoft.com/en-us/library ... 32(v=vs.85).aspx
and demonstrate a binary file upload on a site like dropbox. and add it to this tutorial
I have actually done that before. But it's not possible using WinHttpRequest since the functions are expecting null-terminated strings.
I had to build a new HTTPRequest function from scratch involving a ton of complicated DLL-Calls.. But Lexikos helped me A LOT with this. But the function is still not finished... For example I definitely need to add an option to download/upload files in chunks so that there are no problems on low-RAM computers.

Code: [Select all] [Expand] [Download] (BrutosHttpRequest.ahk)GeSHi © Codebox Plus


Well, I used the function to upload pictures to 250kb.de and normal files to zippyshare.com
But this involved using content-disposition in the body and was pretty complicated stuff until I managed to automate it:

Code: [Select all] [Expand] [Download] (HtmlUpload.ahk)GeSHi © Codebox Plus


Then I just had to reverse engineer the sites a little bit to find out what content-disposition parameters they were expecting and I ended up with this:

Code: [Select all] [Expand] [Download] (ZippyShare.ahk)GeSHi © Codebox Plus

and

Code: [Select all] [Expand] [Download] (250kb.ahk)GeSHi © Codebox Plus

Here are two examples on how to use these:

Code: [Select all] [Download] (Example1.ahk)GeSHi © Codebox Plus

#Include BrutosHttpRequest.ahk
#Include HttpUpload.ahk
#Include 250kb.ahk

Files := ["C:\Users\Admin\Desktop\Example.jpg"]
Clipboard := ImgUpl_250kb_de(files)
TrayTip, ImageUplaoder, URL was copied to your clipboard!
Sleep, 3000
Return

Code: [Select all] [Download] (Example2.ahk)GeSHi © Codebox Plus

#Include BrutosHttpRequest.ahk
#Include HttpUpload.ahk
#Include ZippyShare.ahk

Files := ["C:\Users\Admin\Desktop\Example.jpg"]
Clipboard := FileUpl_ZippyShare_com(files)
TrayTip, FileUplaoder, URL was copied to your clipboard!
Sleep, 3000
Return


edit: corrected some code mistakes. also edited the first post and removed the content-length headers
edit: corrected another code mistake
edit: and another one in the zippyshare example
Last edited by Bruttosozialprodukt on 29 Mar 2015, 13:55, edited 3 times in total.
User avatar
joedf
Posts: 6434
Joined: 29 Sep 2013, 17:08
Facebook: J0EDF
Google: +joedf
GitHub: joedf
Location: Canada, Quebec
Contact:

Re: [How To] Do logins using the WinHttpRequest COM

22 Jul 2014, 11:42

Wow... Now that's quite something..

Return to “Tutorials”

Who is online

Users browsing this forum: No registered users and 9 guests