As promised previously, I’m going to show you how to send HTTP POST request using php cURL extension.
The target form
Let’s say you have a html form like this :
And this is the source code of the html file :
You can see that the form will submit the query using HTTP POST to “target.php”. Now let’s say you want to write a php script (bot.php) that will automatically send the query bypassing the html form, this is one way to do it (with php libcurl extension)
< ?php
//bot.php
$url = "http://localhost/wtf/target.php";
$ch = curl_init();
// set the target url
curl_setopt($ch, CURLOPT_URL,$url);
// howmany parameter to post
curl_setopt($ch, CURLOPT_POST, 1);
// the parameter 'username' with its value 'johndoe'
curl_setopt($ch, CURLOPT_POSTFIELDS,"username=johndoe");
$result= curl_exec ($ch);
curl_close ($ch);
print $result;
?>
This script will send a HTTP POST request to “target.php” pretending to be a real person sending the “username” parameter as “john doe”.
However this is not entirely convincing since the server side will automatically know that you are using a http script to send the HTTP POST request by analyzing the browser “user-agent” string. The default script will send “(HTTPRetriever/1.0)” as its user-agent.
With a little add-on, you can spoof the user-agent string inside your script just like this :
< ?php
//
// test HTTP POST submitter, using libcurl
//
// the target url which contains scripts that accepts post request
$url = "http://localhost/wtf/target.php";
// we are spoofing Yahoo Seeker bot >:)
$useragent="YahooSeeker-Testing/v3.9 (compatible; Mozilla 4.0; MSIE 5.5; http://search.yahoo.com/)";
$ch = curl_init();
// set user agent
curl_setopt($ch, CURLOPT_USERAGENT, $useragent);
// set the target url
curl_setopt($ch, CURLOPT_URL,$url);
// howmany parameter to post
curl_setopt($ch, CURLOPT_POST, 1);
// the parameter 'username' with its value 'johndoe'
curl_setopt($ch, CURLOPT_POSTFIELDS,"username=johndoe");
// execute curl,fetch the result and close curl connection
$result= curl_exec ($ch);
curl_close ($ch);
// display result
print $result;
?>
so when your “bot.php” sends the request, the server logs will record that the query was sent by a “Yahoo Seeker bot” instead of a crudely coded php script.
You can spoof other browser as long as you know their user-agent string, refer to my previous post for a collection of browser user-agent strings.
No PHP cURL support?
In this case, you have a few options
- Use a server that support php cURL extension
- Compile/Install php cURL extension
- Use libcurlemu – php cURL extension written in pure php
Well that should cover the short crash course on how to use php cURL extension.
p/s : Although I won’t tell you how to write one directly, this is the basic of building spam bots and auto-submitter. So use your imagination (and the dark side of the force) to write the rest of the code. *evil*
You can download the source code of this tutorial here : http://mypapit.net/pub/libcurltest.zip
php,curl,webdev,libcurl,bots