logon to a website using fphttpclient

[Thaddy]

If you are on windows I can attach the necessary dll's for openssl if you want. Let me know.
Try either 3 or 1.1.1s binaries. We should get it to work for you too.
Btw: on linux you may need a different spoof. This spoof is for windows.
On Linux, the proper version is likely installed already since it comes with the security patches.

I just tested with fpc 3.2.2 and that does NOT work. You need fpc 3.3.1 (or maybe 3.2.3 = fixes or 3.2.4 RC1). That is due to changes in protocol support. Because it is a security issue, I guess it may have been back-ported to 3.2.4 but I am not sure.

[Nitorami]

Yes I am on windoze.
I found SSL3.0.14 binaries here https://github.com/IndySockets/OpenSSL-Binaries but they seem to have renamed the dlls.

Previously it was ssleay.dll and libeay.dll, now I find libcrypto-3-x64.dll and libssl-3-x64.dll. Are these the ones I should use ? And how would fphttpclient find them under this name ? Or have the names been amended in newer versions of fpc / fphttpclient as well ? (I am still at fpc 3.2.2)

[Thaddy]

Yes, you can use those and the names are correct too, but read on:
https://slproweb.com/products/Win32OpenSSL.html
is more current.
Btw: I tested 3.2.2 for you and that does NOT work out of the box. (because there is no openssl3 support)
I checked the sources from 3.2.3 and these are fine.
It works with 3.2.3 (fixes ) and 3.2.4 (RC1) because it is indeed back-ported from trunk so it will be in the next 3.2.4 release.

The release candidate is really stable, so install that if you do not want to use trunk.

That is really all I can do for you atm.

[Nitorami]

Thanks Thaddy.

I downloaded 3.3.1 win32 from the ftp site but I guess that was wrong, I will need the 64bit version to work with OpenSSL, correct ?

[rvk]

I downloaded 3.3.1 win32 from the ftp site but I guess that was wrong, I will need the 64bit version to work with OpenSSL, correct ?

Depends on the bitness of your compile under Windows. I assume 64 bit for Lazarus.

[Thaddy]

No, in that case you just need the 32 bit binaries for openssl. But I would recommend downloading a 64 bit version of fpc.
Try the second in this list:
https://downloads.freepascal.org/fpc/beta/3.2.4-rc1/x86_64-win64/

I can't try that because I always compile from source. (except the cross compilers, sometimes)

[Nitorami]

Alright, I'll try that one.

Just attempted to install Lazarus stable with FPC3.2.4 via FPCUpDeluxe but got a fatal error:

Code: Pascal  [Select][+][-]

1. fpcupdeluxe: ERROR: FPC Native Installer (CheckModule: FPC): Repo tag and desired tag do not match.
2. fpcupdeluxe: ERROR: FPC Native Installer (CheckModule: FPC): The desired release_3_2_4 is different from local repository-tag.
3.  
4.  
5. ERROR: Fpcupdeluxe fatal error !
6. Sequencer (FPC): Failure running fpcupdeluxe: error executing sequence FPC
7. Sequencer (Defaultwin32): Failure running fpcupdeluxe: error executing sequence Defaultwin32

[rvk]

You can also just use OpenSSL 1.1.1w
That will work with older FPC.

Direct link https://wiki.overbyte.eu/arch/openssl-1.1.1w-win64.zip

From https://wiki.overbyte.eu/wiki/index.php/ICS_Download

[Thaddy]

I can't test that, but that version looks OK and the names are also correct.[edit] and works.
Still I'd recommend openssl 3

[Nitorami]

I installed FPC 3.2.4 from Thaddys link and now it works with my existing OpenSSL installation. Yeah !

Now the next challenge will be to logon somehow.

[Thaddy]

 

[Nitorami]

Yeah, thanks a lot so far. Without assistance, I would have given up already.

[Thaddy]

I would ptobably also given up, but I have the time to keep persevering.

[rvk]

If you want to go further and login then you need to look at my old post from a long time ago.
vBulletin forums use auth/login ajax login.

I saw that it is vBulletin 6.1.3 but the 5.6.4 I tested this on a few years ago also used /auth/ajax-login (and the 6.1.3 uses it too if I look at the debugging in Brave).

https://forum.lazarus.freepascal.org/index.php/topic,51730.msg380623.html#msg380623

Here are the login for both versions. I could only test the last one on v4.2.2. v3.8.7 is really really old (begin 2011) so you might want to warn the administrator about that. There are several exploits for that version and I hope it's completely patched.

For the latest version v5.6.4 (change the highlighted lines):

Code: Pascal  [Select][+][-]

1. uses httpsend, synautil, ssl_openssl;
2.  
3. procedure TForm1.Button1Click(Sender: TObject);
4. var
5.   HTTPSend: THTTPSend;
6.   Cookies: string;
7.   ForumUrl, Username, Password: string;
8.   TextFromDocument: string;
9. begin
10.   Memo1.Lines.Clear;
11.  
12.   ForumUrl := 'https://forum.vbulletin.com'; // <-- CHANGE THIS
13.   Username := 'username'; // <-- CHANGE THIS
14.   Password := 'password'; // <-- CHANGE THIS
15.  
16.   HTTPSend := THTTPSend.Create;
17.   try
18.  
19.     HTTPSend.Useragent := 'Mozilla/5.0 (Windows NT 10.0; Win64; x64)';
20.     HTTPSend.MimeType := 'application/x-www-form-urlencoded; charset=UTF-8';
21.     WriteStrToStream(HTTPSend.Document,
22.       ansistring('username=' + Username + '&password=' + Password +
23.       '&privacyconsent=1&securitytoken=guest'));
24.     HTTPSend.HTTPMethod('POST', ForumUrl + '/auth/ajax-login');
25.     TextFromDocument := ReadStrFromStream(HTTPSend.Document, HTTPSend.Document.Size);
26.     if HTTPSend.ResultCode <> 200 then
27.     begin
28.       Memo1.Lines.Add('---------------');
29.       Memo1.Lines.Add('Loginresult = ' + HTTPSend.ResultCode.ToString + ' ' + HTTPSend.ResultString);
30.       Memo1.Lines.Add('---------------');
31.       exit;
32.     end;
33.  
34.     Cookies := HTTPSend.Cookies.Text; // you can save this for later. It will expire after a while though.
35.     HTTPSend.Clear;
36.     HTTPSend.Cookies.Text := Cookies;
37.  
38.     HTTPSend.HTTPMethod('POST', 'https://forum.vbulletin.com/settings/profile'); // <-- CHANGE THIS
39.     TextFromDocument := ReadStrFromStream(HTTPSend.Document, HTTPSend.Document.Size);
40.     Memo1.Lines.Add('---------------');
41.     Memo1.Lines.Add('Result = ' + HTTPSend.ResultCode.ToString + ' ' + HTTPSend.ResultString);
42.     Memo1.Lines.Add('---------------');
43.     Memo1.Lines.Add(HTTPSend.Headers.Text);
44.     Memo1.Lines.Add('---------------');
45.     Memo1.Lines.Add(TextFromDocument);
46.     Memo1.Lines.Add('---------------');
47.  
48.   finally
49.     HTTPSend.Free;
50.   end;
51. end;

And for v4.2.2 (which is almost identical except for the parameters and url):
(it seems to have vb_login_md5password etc, but apparently they can be empty)

Code: Pascal  [Select][+][-]

1. uses httpsend, synautil, ssl_openssl;
2.  
3. procedure TForm1.Button2Click(Sender: TObject);
4. var
5.   HTTPSend: THTTPSend;
6.   Cookies: string;
7.   ForumUrl, Username, Password: string;
8.   TextFromDocument: string;
9. begin
10.   Memo1.Lines.Clear;
11.  
12.   ForumUrl := 'url_of_main_forum_page/forum.php'; // <-- CHANGE THIS
13.   Username := 'username'; // <-- CHANGE THIS
14.   Password := 'password'; // <-- CHANGE THIS
15.  
16.   HTTPSend := THTTPSend.Create;
17.   try
18.  
19.     HTTPSend.Useragent := 'Mozilla/5.0 (Windows NT 10.0; Win64; x64)';
20.     HTTPSend.MimeType := 'application/x-www-form-urlencoded; charset=UTF-8';
21.     WriteStrToStream(HTTPSend.Document,
22.       ansistring('vb_login_username=' + Username + '&vb_login_password=' + Password +
23.       'securitytoken=guest&do=login&vb_login_md5password=&vb_login_md5password_utf=&cookieuser=1s='));
24.     HTTPSend.HTTPMethod('POST', ForumUrl + '?do=login');
25.     TextFromDocument := ReadStrFromStream(HTTPSend.Document, HTTPSend.Document.Size);
26.     if HTTPSend.ResultCode <> 200 then
27.     begin
28.       Memo1.Lines.Add('---------------');
29.       Memo1.Lines.Add('Loginresult = ' + HTTPSend.ResultCode.ToString + ' ' + HTTPSend.ResultString);
30.       Memo1.Lines.Add('---------------');
31.       exit;
32.     end;
33.  
34.     Cookies := HTTPSend.Cookies.Text; // you can save this for later. It will expire after a while though.
35.     HTTPSend.Clear;
36.     HTTPSend.Cookies.Text := Cookies;
37.  
38.     HTTPSend.HTTPMethod('GET', 'url_of_control_panel_for_testing.php'); // <-- CHANGE THIS
39.     TextFromDocument := ReadStrFromStream(HTTPSend.Document, HTTPSend.Document.Size);
40.     Memo1.Lines.Add('---------------');
41.     Memo1.Lines.Add('Result = ' + HTTPSend.ResultCode.ToString + ' ' + HTTPSend.ResultString);
42.     Memo1.Lines.Add('---------------');
43.     Memo1.Lines.Add(HTTPSend.Headers.Text);
44.     Memo1.Lines.Add('---------------');
45.     Memo1.Lines.Add(TextFromDocument);
46.     Memo1.Lines.Add('---------------');
47.  
48.   finally
49.     HTTPSend.Free;
50.   end;
51.  
52. end;

[rvk]

I saw my previous answer used Synapse for HTTPClient.

Here... I rewrote the example using fphttpclient.
Change the username and password and it should login correctly.
After the login, it retrieves a profile page. If it contains the text "Cannot access profile settings as a guest user." there was a problem.
Otherwise the login was succesfull.

You can use the same instance of Client (which now contains the correct session-cookies) to scrape the private thread.
I tested it with a dummy spam account I made there, so it does work.

Code: Pascal  [Select][+][-]

1. {$mode delphi}{$ifdef windows}{$apptype console}{$endif}{$H+}
2. uses
3.   Sysutils,
4.   classes,
5.   fphttpclient,
6.   opensslsockets;
7. var
8.   ForumUrl, FormData, Username, Password: string;
9.   Client: TFPHttpClient;
10.   Response : string;
11.   Cookies: string;
12. begin
13.  
14.   ForumUrl := 'https://forums.winamp.com'; // <-- CHANGE THIS
15.   Username := 'username'; // <-- CHANGE THIS
16.   Password := 'password'; // <-- CHANGE THIS
17.  
18.   FormData := 'username=' + Username + '&password=' + Password + '&privacyconsent=1&securitytoken=guest';
19.  
20.   Client := TFPHttpClient.Create(nil);
21.   try
22.     writeln(client.httpversion);
23.     Client.AddHeader('User-Agent', 'Mozilla/5.0 (Windows NT 10.0; Win64; x64)');
24.     Client.AllowRedirect := true;
25.     try
26.       Response := Client.FormPost(ForumUrl + '/auth/ajax-login', FormData);
27.       // writeln(Response);
28.  
29.       Cookies := Client.Cookies.Text; // you can save this for later. It will expire after a while though.
30.       writeln('Login success ' + Client.ResponseStatusCode.ToString + ' ' + Client.ResponseStatusText);
31.  
32.       Response := Client.Get(ForumUrl + '/settings/profile');
33.  
34.       if Pos('Cannot access profile', Response) > 0 then
35.          writeln('Get PROBLEM "Cannot access profile" ' + Client.ResponseStatusCode.ToString + ' ' + Client.ResponseStatusText)
36.       else
37.       begin
38.         writeln('Get success ' + Client.ResponseStatusCode.ToString + ' ' + Client.ResponseStatusText);
39.         writeln(Response);
40.       end;
41.  
42.       //
43.       // here you can write your loop to retrieve the private thread
44.       //
45.  
46.     except
47.       on E:Exception do
48.       begin
49.         writeln(e.message);
50.       end;
51.     end;
52.   finally
53.     Client.Free;
54.     readln;
55.   end;
56. end.