php curl带有csrf-token验证模拟提交方法

通常为了安全会在表单里加入一个随机的token值来防止csrf攻击。 
要想模拟提交有token验证的网站其实也不难。

1.通过正则获取token 
2.带上获取到的token模拟提交

下面是一个成功的例子 
目录结构

│ form.php –需要模拟的表单 
│ getForm.php – 模拟提交程序 
│ post.php –表单验证程序 
│ 
└─cookie – cookie存放目录

getForm.php

<?php$cookie_file = './cookie/'.time().'.cookie';$str = getResponse('http://a.curl.com:81/form.php',[],$cookie_file);setcookie("PHPSESSID", "vc0heoa6lfsi3gger54pkns152");preg_match('/<input name="token" type="hidden" value="(.*)"/U', $str, $match);$post['token'] = $match[1];$post['name'] = '3333333';$post['password'] = '12121213';print_r(getResponse('http://a.curl.com:81/post.php', $post, $cookie_file));function getResponse($url, $data=[],  $cookie_file='', $timeout = 3)    {        if(empty($cookie_file))        {            $cookie_file = '.cookie';        }        $ch = curl_init();        curl_setopt($ch, CURLOPT_URL, $url);        curl_setopt($ch, CURLOPT_REFERER, "https://www.baidu.com");   //构造来路       curl_setopt($ch, CURLOPT_USERAGENT,"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.59 Safari/537.36");        if(!empty($data))        {            curl_setopt($ch, CURLOPT_POST, true);            curl_setopt($ch, CURLOPT_POSTFIELDS, $data);        }        curl_setopt($ch,  CURLOPT_COOKIEJAR, $cookie_file);// 取cookie的参数是        curl_setopt ($ch, CURLOPT_COOKIEFILE, $cookie_file); //发送cookie        curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);        curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, $timeout);        try        {             $handles = curl_exec($ch);              curl_close($ch);              return $handles;        }        catch (Exception $e)        {            echo 'Caught exception: ',  $e->getMessage(), "\n";        }        unlink($cookie_file);    }
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46

form.php

<?phpsession_start();$_SESSION['token'] = md5($_SERVER['REQUEST_TIME']);$_SESSION['time'] = date("Y-m-d H:i:s");session_write_close();//echo $_SESSION['auth'];?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"> <head>  <title> new document </title>  <meta name="generator" content="editplus" />  <meta name="author" content="" />  <meta name="keywords" content="" />  <meta name="description" content="" /> </head> <body><form action="post.php"  method="post">    <p><input name="name" type="text"></p>    <p><input name="password" type="password"></p>    <p><input name="token" type="hidden" value="<?php echo $_SESSION['token']?>"></p>    <p><input type="submit"></p></form> </body></html>
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25

post.php

<?phpsession_start();if(empty($_POST['token'])){    exit ("token is empty!");}if(empty($_SESSION['token'])){ exit ("session is empty");}if($_POST['token'] != $_SESSION['token']){    exit ("token ");} else{    unset($_SESSION['token']);}echo PHP_EOL;echo "pass";print_r($_REQUEST);echo PHP_EOL;print_r($_SERVER);