PHP implements simulated login to Zhengfang Academic Affairs System

This article mainly introduces the login of Zhengfang Academic Affairs System through the curl library of PHP. Since Zhengfang Academic Affairs System may have some updates every year, this article is for 2018. It introduces some methods of simulating login to Zhengfang. I hope it can help. to everyone.

---

1. Save the verification code and Cookie of the login interface

The content is as follows

We can see this A request, as can be seen from the name, is the verification code of the page, which is returned from the Zhengfang server when accessing the login interface. I referred to the blogs of other experts who said that the verification code can be intercepted without entering it, but I tested it several times and found that it does not work. Therefore, I feel that Zhengfang should have fixed this bug, so we should enter the verification code honestly.

It should also be noted that there is a parameter Cookie in the above picture. This cookie will be returned every time the page is visited, but this cookie will only take effect after the login is successful, so we need to save it. This cookie, because all operations we perform in the educational system will verify this cookie, which is equivalent to identity authentication, so this cookie is essential.

Below I use php to save cookies and verification codes locally.

    session_start();    $id=session_id();    $_SESSION['id']=$id;    $cookie = dirname(__FILE__) . '/cookie/'.$_SESSION['id'].'.txt'; //cookie路径，将cookie写入一个文件中

    $verify_code_url = "http://jwgl.hbpu.edu.cn/CheckCode.aspx"; //验证码地址
    $curl = curl_init();
    curl_setopt($curl, CURLOPT_URL, $verify_code_url);
    curl_setopt($curl, CURLOPT_COOKIEJAR, $cookie);  //保存cookie
    curl_setopt($curl, CURLOPT_HEADER, 0);
    curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);    $img = curl_exec($curl);  //执行curl
    curl_close($curl);    $fp = fopen("verifyCode.jpg","w");  //文件名
    fwrite($fp,$img);  //写入文件
    fclose($fp);
    echo "验证码取出完成，正在休眠，15秒内请把验证码填入code.txt并保存\n";    //停止运行15秒
    sleep(15);

Students who are familiar with PHP should be able to understand the meaning of this code. First create a session, we save the cookie obtained each time in a folder, and obtain the cookie and returned verification code by accessing the domain name. To manually fill in the verification code, we create a code.txt file. After we see the verification code picture in the folder, we manually write it out in the code.txt file. After fifteen seconds, we will send a request to the Zhengfang server.

2. Find the server that sent the request and the required parameters

You can see a POST request, in which one of the message headers we should pay attention to in the picture above is Referer The purpose of this message header is to prevent CSRF. As for CSRF, I will elaborate on it at the end. Let’s take a look at the POST parameters:

You should be able to guess most of the parameters. I won’t go into details about the parameters with empty content. What needs to be mentioned is _VIEWSTATE and RadioButtonList1.
The first parameter is the status of the current page. This string is to verify that we are coming from the login interface. This parameter is in the source code of the login page. We extract it through regular expressions.
The second parameter is the type of button, and the content is a GBK code. My type is student.

function login_post($url,$cookie,$post){
        $ch = curl_init();
        curl_setopt($ch, CURLOPT_URL, $url);
        curl_setopt($ch, CURLOPT_HEADER, 0);
        curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);  //不自动输出数据，要echo才行
        curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);  //重要，抓取跳转后数据
        curl_setopt($ch, CURLOPT_COOKIEFILE, $cookie);
        curl_setopt($ch, CURLOPT_REFERER, 'http://jwgl.hbpu.edu.cn/');  //重要，302跳转需要referer，可以在Request Headers找到
        curl_setopt($ch, CURLOPT_POSTFIELDS,$post);  //post提交数据
        $result=curl_exec($ch);
        curl_close($ch);        return $result;
    }    $xh='';//此处手动输入学号，上线后通过$_POST得到
    $pw='';//此处手动输入密码，上线后通过$_POST得到
    $code = file_get_contents("code.txt");//把验证码输入到code.txt中后通过此方法取出验证码
    $cookie = dirname(__FILE__) . '/cookie/'.$_SESSION['id'].'.txt';//取出cookie
    $url="http://jwgl.hbpu.edu.cn/default2.aspx";  //教务处地址
    $con1=login_post($url,$cookie,'');
    preg_match_all(&#39;/<input type="hidden" name="__VIEWSTATE" value="([^<>]+)" \/>/&#39;, $con1, $view); //获取__VIEWSTATE字段并存到$view数组中
    $post=array(        &#39;__VIEWSTATE&#39;=>$view[1][0],        &#39;txtUserName&#39;=>$xh,        &#39;TextBox2&#39;=>$pw,        &#39;txtSecretCode&#39;=>$code,        &#39;RadioButtonList1&#39;=>&#39;%D1%A7%C9%FA&#39;,  //“学生”的gbk编码
        &#39;Button1&#39;=>&#39;&#39;,        &#39;lbLanguage&#39;=>&#39;&#39;,        &#39;hidPdrs&#39;=>&#39;&#39;,        &#39;hidsc&#39;=>&#39;&#39;
    );    $con2=login_post($url,$cookie,http_build_query($post)); //将数组连接成字符串

At this point we can access our php file. If your content is as follows, congratulations, you have successfully logged in to Zhengfang.

3. Implement the function of accessing the class schedule

As mentioned before, even if we successfully log in, we cannot perform the functional operations inside because each section requires different Parameters, or different request addresses, so I will introduce a function of accessing scores here.

---

Enter the score query section and let’s take a look at the request address and parameters.

The parameters are as follows:

Everyone should be able to understand these parameters. The only one is gnmkdm. The content of this parameter is a randomly generated string. Not a required parameter. The other ones have basically been mentioned before, _VEIWSTATE is the same as the method obtained before. The code is given below.

preg_match_all(&#39;/<span id="xhxm">([^<>]+)/&#39;, $con2, $xm);   //正则出的数据存到$xm数组中
    $xm[1][0]=substr($xm[1][0],0,-4);  //字符串截取，获得姓名

    //拼接所需要访问的url，我们需要获取哪个url就去拼接完整的url，此处是获取成绩的url
    //以后如果需要获取别的数据，就去官网找他的url，看需要哪些参数
    $url2="http://jwgl.hbpu.edu.cn/xscj_gc.aspx?xh=".$xh."&xm=".$xm[1][0];    $viewstate=login_post($url2,$cookie,&#39;&#39;);
    preg_match_all(&#39;/<input type="hidden" name="__VIEWSTATE" value="([^<>]+)" \/>/&#39;, $viewstate, $vs);    $state=$vs[1][0];  //$state存放一会post的__VIEWSTATE

    //每个页面都有不同的参数请求，根据不同情况来发送不同的参数
    $post=array(           &#39;__EVENTTARGET&#39;=>&#39;&#39;,           &#39;__EVENTARGUMENT&#39;=>&#39;&#39;,           &#39;__VIEWSTATE&#39;=>$state,           &#39;hidLanguage&#39;=>&#39;&#39;,           &#39;ddlXN&#39;=>&#39;2016-2017&#39;,  //当前学年
           &#39;ddlXQ&#39;=>&#39;1&#39;,  //当前学期
           &#39;ddl_kcxz&#39;=>&#39;&#39;,           &#39;Button1&#39;=>&#39;%B0%B4%D1%A7%C6%DA%B2%E9%D1%AF&#39;  //“学期成绩”的gbk编码，视情况而定
        );    $content=login_post($url2,$cookie,http_build_query($post));    echo $content;

Okay, the code is finished. If your page displays as follows, then you have succeeded.

4. Summary

In fact, it is a little more troublesome when logging in. After entering, the two necessary parameters Cookie and _VIEWSTATE are required, and the other parameters are left alone. Look at each POST request, and then combine it according to the request format. The above code will not report an error when running. Please copy it and run it to see. But after a few years, we will see if Zhengfang will fix the loopholes. The time interval between reading other blogs before was too long, so I will write an 18-year article. If you still don’t understand anything, you can send me a private message or leave a message in the comment area. Discussions are welcome.

5. About CSRF

The so-called CSRF is cross-site forgery, which means that others steal your identity to send requests to the server. The Referer header mentioned before is to defend against this attack, which means Said, if we want to successfully log in to the Zhengfang Academic Affairs System, we must jump through the login interface page, which means that the address before the jump must be http://jwgl.hbpu.edu.cn/. When testing, everyone uses the academic administration system of their own university, because this address is the academic administration system of my university, and I can successfully log in through my student ID and password. Finally, I posted a blog about CSRF attacks, written by a big shot. Describe CSRF in detail. (Click the link below)
CSRF Attack and Defense

php simulated login to Zhengfang Academic Affairs System (2018)

This article mainly introduces the login of Zhengfang Academic Affairs System through the curl library of php. Since Zhengfang Academic Affairs The system may have some updates every year, so this article is for 2018 and introduces some methods of simulating login to Zhengfang.

---

1. Save the verification code and Cookie of the login interface

The content is as follows

We can see such a request, As can be seen from the name, this is the verification code of the page, which is returned from the Zhengfang server when accessing the login interface. I referred to the blogs of other experts who said that the verification code can be intercepted without entering it, but I tested it several times and found that it does not work. Therefore, I feel that Zhengfang should have fixed this bug, so we should enter the verification code honestly.

It should also be noted that there is a parameter Cookie in the above picture. This cookie will be returned every time you visit the page, but this cookie will only take effect after the login is successful, so we need to save this cookie. Because all operations we perform in the educational system will verify this cookie, which is equivalent to identity authentication, this cookie is essential.

---

Below I use php to save cookies and verification codes locally.

    session_start();    $id=session_id();    $_SESSION['id']=$id;    $cookie = dirname(__FILE__) . '/cookie/'.$_SESSION['id'].'.txt'; //cookie路径，将cookie写入一个文件中

    $verify_code_url = "http://jwgl.hbpu.edu.cn/CheckCode.aspx"; //验证码地址
    $curl = curl_init();
    curl_setopt($curl, CURLOPT_URL, $verify_code_url);
    curl_setopt($curl, CURLOPT_COOKIEJAR, $cookie);  //保存cookie
    curl_setopt($curl, CURLOPT_HEADER, 0);
    curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);    $img = curl_exec($curl);  //执行curl
    curl_close($curl);    $fp = fopen("verifyCode.jpg","w");  //文件名
    fwrite($fp,$img);  //写入文件
    fclose($fp);
    echo "验证码取出完成，正在休眠，15秒内请把验证码填入code.txt并保存\n";    //停止运行15秒
    sleep(15);

Students who are familiar with PHP should be able to understand the meaning of this code. First create a session, we save the cookie obtained each time in a folder, and obtain the cookie and returned verification code by accessing the domain name. To manually fill in the verification code, we create a code.txt file. After we see the verification code picture in the folder, we manually write it out in the code.txt file. After fifteen seconds, we will send a request to the Zhengfang server.

2. Find the server that sent the request and the required parameters

You can see a POST request, in which one of the message headers we should pay attention to in the picture above is Referer The purpose of this message header is to prevent CSRF. As for CSRF, I will elaborate on it at the end. Let’s take a look at the POST parameters:

You should be able to guess most of the parameters. I won’t go into details about the parameters with empty content. What needs to be mentioned is _VIEWSTATE and RadioButtonList1.
The first parameter is the status of the current page. This string is to verify that we are coming from the login interface. This parameter is in the source code of the login page. We extract it through regular expressions.
The second parameter is the type of button, and the content is a GBK code. My type is student.

function login_post($url,$cookie,$post){
        $ch = curl_init();
        curl_setopt($ch, CURLOPT_URL, $url);
        curl_setopt($ch, CURLOPT_HEADER, 0);
        curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);  //不自动输出数据，要echo才行
        curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);  //重要，抓取跳转后数据
        curl_setopt($ch, CURLOPT_COOKIEFILE, $cookie);
        curl_setopt($ch, CURLOPT_REFERER, 'http://jwgl.hbpu.edu.cn/');  //重要，302跳转需要referer，可以在Request Headers找到
        curl_setopt($ch, CURLOPT_POSTFIELDS,$post);  //post提交数据
        $result=curl_exec($ch);
        curl_close($ch);        return $result;
    }    $xh='';//此处手动输入学号，上线后通过$_POST得到
    $pw='';//此处手动输入密码，上线后通过$_POST得到
    $code = file_get_contents("code.txt");//把验证码输入到code.txt中后通过此方法取出验证码
    $cookie = dirname(__FILE__) . '/cookie/'.$_SESSION['id'].'.txt';//取出cookie
    $url="http://jwgl.hbpu.edu.cn/default2.aspx";  //教务处地址
    $con1=login_post($url,$cookie,'');
    preg_match_all(&#39;/<input type="hidden" name="__VIEWSTATE" value="([^<>]+)" \/>/&#39;, $con1, $view); //获取__VIEWSTATE字段并存到$view数组中
    $post=array(        &#39;__VIEWSTATE&#39;=>$view[1][0],        &#39;txtUserName&#39;=>$xh,        &#39;TextBox2&#39;=>$pw,        &#39;txtSecretCode&#39;=>$code,        &#39;RadioButtonList1&#39;=>&#39;%D1%A7%C9%FA&#39;,  //“学生”的gbk编码
        &#39;Button1&#39;=>&#39;&#39;,        &#39;lbLanguage&#39;=>&#39;&#39;,        &#39;hidPdrs&#39;=>&#39;&#39;,        &#39;hidsc&#39;=>&#39;&#39;
    );    $con2=login_post($url,$cookie,http_build_query($post)); //将数组连接成字符串

At this point we can access our php file. If your content is as follows, congratulations, you have successfully logged in to Zhengfang.

3. Implement the function of accessing the class schedule

As mentioned before, even if we successfully log in, we cannot perform the functional operations inside because each section requires different Parameters, or different request addresses, so I will introduce a function of accessing scores here.

---

Enter the score query section and let’s take a look at the request address and parameters.

The parameters are as follows:

Everyone should be able to understand these parameters. The only one is gnmkdm. The content of this parameter is a randomly generated string. Not a required parameter. The other ones have basically been mentioned before, _VEIWSTATE is the same as the method obtained before. The code is given below.

preg_match_all(&#39;/<span id="xhxm">([^<>]+)/&#39;, $con2, $xm);   //正则出的数据存到$xm数组中
    $xm[1][0]=substr($xm[1][0],0,-4);  //字符串截取，获得姓名

    //拼接所需要访问的url，我们需要获取哪个url就去拼接完整的url，此处是获取成绩的url
    //以后如果需要获取别的数据，就去官网找他的url，看需要哪些参数
    $url2="http://jwgl.hbpu.edu.cn/xscj_gc.aspx?xh=".$xh."&xm=".$xm[1][0];    $viewstate=login_post($url2,$cookie,&#39;&#39;);
    preg_match_all(&#39;/<input type="hidden" name="__VIEWSTATE" value="([^<>]+)" \/>/&#39;, $viewstate, $vs);    $state=$vs[1][0];  //$state存放一会post的__VIEWSTATE

    //每个页面都有不同的参数请求，根据不同情况来发送不同的参数
    $post=array(           &#39;__EVENTTARGET&#39;=>&#39;&#39;,           &#39;__EVENTARGUMENT&#39;=>&#39;&#39;,           &#39;__VIEWSTATE&#39;=>$state,           &#39;hidLanguage&#39;=>&#39;&#39;,           &#39;ddlXN&#39;=>&#39;2016-2017&#39;,  //当前学年
           &#39;ddlXQ&#39;=>&#39;1&#39;,  //当前学期
           &#39;ddl_kcxz&#39;=>&#39;&#39;,           &#39;Button1&#39;=>&#39;%B0%B4%D1%A7%C6%DA%B2%E9%D1%AF&#39;  //“学期成绩”的gbk编码，视情况而定
        );    $content=login_post($url2,$cookie,http_build_query($post));    echo $content;

Okay, the code is finished. If your page displays as follows, then you have succeeded.

4. Summary

In fact, it is a little more troublesome when logging in. After entering, the two necessary parameters Cookie and _VIEWSTATE are required. For other parameters, just check each POST request by yourself, and then according to Just combine the request formats. The above code will not report an error when running. Please copy it and run it to see. But after a few years, we will see if Zhengfang will fix the loopholes. The time interval between reading other blogs before was too long, so I will write an 18-year article. If you still don’t understand anything, you can send me a private message or leave a message in the comment area. Discussions are welcome.

5. About CSRF

The so-called CSRF is cross-site forgery, which means that someone else steals your identity to send a request to the server. The request header Referer mentioned before is to defend against this attack. , which means that if we want to successfully log in to the Zhengfang Academic Affairs System, we must jump through the login interface page, which means that the address before the jump must be http://jwgl.hbpu.edu.cn/ . When testing, everyone uses the academic administration system of their own university, because this address is the academic administration system of my university, and I can successfully log in through my student ID and password. Finally, I posted a blog about CSRF attacks, written by a big shot. Describe CSRF in detail. (Click the link below)
CSRF attack and defense.

Related recommendations:

10 recommended articles about the educational administration system

A small program that simulates logging in to the educational administration system to calculate GPA

Use php to implement simulated login of Zhengfang Academic Affairs System

The above is the detailed content of PHP implements simulated login to Zhengfang Academic Affairs System. For more information, please follow other related articles on the PHP Chinese website!