dreljie602951 2014-05-28 13:30
浏览 206
已采纳

CSRF验证失败。 使用cURL时

i'm trying to get content of markafoni.com by curl.

class curl
{
    private $ch;
    function __construct()
    {
        $this->ch = curl_init();
        curl_setopt($this->ch,CURLOPT_CAINFO,dirname(__FILE__)."/cacert.pem");
        curl_setopt($this->ch,CURLOPT_USERAGENT,'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/32.0.1700.107 Chrome/32.0.1700.107 Safari/537.36');
        curl_setopt($this->ch,CURLOPT_SSL_VERIFYPEER, true);
        curl_setopt($this->ch,CURLOPT_SSL_VERIFYHOST, false);
        //curl_setopt($this->ch,CURLOPT_AUTOREFERER, true);//
        //curl_setopt($this->ch,CURLOPT_REFERER, 'https://www.markafoni.com/');//
        //curl_setopt($this->ch,CURLOPT_FAILONERROR, false);//
        curl_setopt($this->ch,CURLOPT_FOLLOWLOCATION, 1);
        curl_setopt($this->ch,CURLOPT_RETURNTRANSFER,1);
        curl_setopt($this->ch,CURLOPT_VERBOSE,1);
        //curl_setopt($this->ch,CURLOPT_HEADER,1);
        //curl_setopt($this->ch,CURLOPT_HTTPHEADER,$header);
        curl_setopt($this->ch,CURLOPT_COOKIESESSION, true);
        curl_setopt($this->ch,CURLOPT_COOKIEJAR, dirname(__FILE__)."/cookie.txt");
        curl_setopt($this->ch,CURLOPT_COOKIEFILE, dirname(__FILE__)."/cookie.txt");
    }

    function run($url,$post=array())
    {
        $postField = '';
        foreach($post as $k=>$v) $postField .= $k.'='.$v.'&';

        curl_setopt($this->ch,CURLOPT_URL,$url);
        if(count($post)){
            curl_setopt($this->ch,CURLOPT_POST,count($post));
            curl_setopt($this->ch,CURLOPT_POSTFIELDS,$postField);
        }else{
            curl_setopt($this->ch,CURLOPT_POST,0);
            curl_setopt($this->ch,CURLOPT_POSTFIELDS,'');
        }
        return curl_exec($this->ch);
    }
}

but I get this error:

Forbidden (403)

CSRF verification failed. Request aborted.

You are seeing this message because this HTTPS site requires a 'Referer header' to be sent by your Web browser, but none was sent. This header is required for security reasons, to ensure that your browser is not being hijacked by third parties.

If you have configured your browser to disable 'Referer' headers, please re-enable them, at least for this site, or for HTTPS connections, or for 'same-origin' requests

any idea?

edit:

and when I enable this line:

curl_setopt($this->ch,CURLOPT_REFERER,'https://www.markafoni.com/');

I get another error:

Forbidden (403)

CSRF verification failed. Request aborted.
  • 写回答

1条回答 默认 最新

  • duanmorong9597 2014-05-29 12:07
    关注

    A browser will always make a get request to a page (to show the form) before making the post.

    Consider the following response headers from a get request made from chrome:

    HTTP/1.1 200 OK
Server: nginx
Date: Thu, 29 May 2014 11:57:01 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
Vary: Cookie
CACHE: True
Set-Cookie: csrftoken=5F3ttzJcnWdLkL7sPDekggxgjDJTKAmz; expires=Thu, 28-May-2015 11:57:01 GMT; Max-Age=31449600; Path=/
Set-Cookie: _auth=0; Domain=.markafoni.com; Path=/
Set-Cookie: ladsrv=; Domain=.markafoni.com; expires=Thu, 01-Jan-1970 00:00:00 GMT; Path=/
X-BackendID: caramel
X-Forwarded-Proto: http
Content-Encoding: gzip
P3P: CP="CAO DSP COR LAW CURa ADMa DEVa PSAa PSDa OUR DELa BUS IND PHY ONL UNI PUR COM NAV INT STA",policyref="/w3c/p3p.xml"

    Notice the cookies set, specifically this one: csrftoken=....

    In order to make post requests to this site, you will need to make a get request 1st, save the cookies, then make the post request with the same cookies.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥15 如何在3D高斯飞溅的渲染的场景中获得一个可控的旋转物体
  • ¥88 实在没有想法,需要个思路
  • ¥15 MATLAB报错输入参数太多
  • ¥15 python中合并修改日期相同的CSV文件并按照修改日期的名字命名文件
  • ¥15 有赏,i卡绘世画不出
  • ¥15 如何用stata画出文献中常见的安慰剂检验图
  • ¥15 c语言链表结构体数据插入
  • ¥40 使用MATLAB解答线性代数问题
  • ¥15 COCOS的问题COCOS的问题
  • ¥15 FPGA-SRIO初始化失败