Using PHP and cURL to submit POST requests to a website

  • Context: PHP 
  • Thread starter Thread starter Jamin2112
  • Start date Start date
  • Tags Tags
    Curl Php
Click For Summary

Discussion Overview

The discussion revolves around using PHP and cURL to submit POST requests to a website, specifically for the purpose of generating comments on a blog. Participants explore the technical aspects of the script, potential issues with the implementation, and the behavior of the server in response to the requests.

Discussion Character

  • Technical explanation
  • Debate/contested

Main Points Raised

  • One participant shares a PHP script intended to spam comments on a friend's website, detailing the structure and functions used in the script.
  • Several participants request clarification on what "hasn't been working" means, emphasizing the need for more specific information about the issue encountered.
  • It is noted that while curl_exec($curl) returns true, the comments are not appearing on the website, raising questions about the validity of the data being sent.
  • One participant suggests that the cURL options may be incomplete, specifically mentioning the need to set CURLOPT_POST to true, based on an external example.
  • Another participant highlights the importance of checking the server's response to understand what "success" means in this context, suggesting that a successful cURL execution does not guarantee that the comment was posted.
  • A tool called Fiddler is recommended for monitoring HTTP requests to ensure that the data being sent is valid.

Areas of Agreement / Disagreement

Participants express differing views on the potential causes of the issue, with some focusing on the script's configuration and others on server-side processing. No consensus is reached regarding the exact problem or solution.

Contextual Notes

Participants mention the possibility of various issues affecting the outcome, including server-side validation and the need to analyze the response from the server to determine the success of the POST requests.

Jamin2112
Messages
973
Reaction score
12
Here's the setup:

I'm trying to write a PHP script to spam my buddy's website. He has given me full permission to try and do so. I have a very rudimentary understanding of HTTP protocols and am probably doing something wrong, because my attempt hasn't been working.

Here's my PHP script:

Code: 
<!DOCTYPE html>
<html>
<head>
<title>attack script</title>
</head>
<body>
<?php
 
/*  ------------ Functions needed for attack  --------------------- */
 
function rand_str($len)
{
    $str = "";
    while ($len-- > 0)
    {
        $val = rand(0,1) ? rand(ord("A"),ord("Z")) : rand(ord("a"),ord("z"));
        $str .= chr($val); 
    }
    return $str;
}
 
/*  ----------------- Misc. preprocessing  -------------------- */
date_default_timezone_set('America/Los_Angeles');
 
 
/*  ----------------- Initialize new cURL session -------------------- */
 
$curl = curl_init();
$page_url = "[PLAIN]http://feucht.us/blog";[/PLAIN] 
$funct_url = "[PLAIN]http://feucht.us/blog/wp-comments-post.php";[/PLAIN] 
curl_setopt($curl, CURLOPT_URL, $funct_url);
 
 
/*  ---------------------- Begin attack  ----------------------------- */
 
echo("<h1>Comment spam run on <i>". $page_url . "</i> on " . date("d-m-Y h:i:s") . "</h1>");
echo("<h3><b>RESULTS:</b></h3>");
$num_coms = 10; /* # of comments to post */
$wait_period = 1; /* # of seconds to wait between posting each comment */
$name_length_bounds = array(5,20); /* min and max length of random name to be generated */
$alias_length_bounds = array(8,15); /* min and max length of random email prefix to be generated */
$email_length_bounds = array(3,10); /* min and max length of random email provider to be generated */
$comment_length_bounds = array(5, 40); /* min and max length of random comment to be generated */
while ($num_coms-- > 0)
{
  /* Pause between the posting of comments: */
  sleep($wait_period);
  
  /* Initialize random names, email addresses and comments: */ 
  $rname = rand_str(rand($name_length_bounds[0], $name_length_bounds[1]));  
  $remail = rand_str(rand($alias_length_bounds[0], $alias_length_bounds[1])) . "@" . rand_str(rand($email_length_bounds[0], $email_length_bounds[1])) . ".com";
  $rcomment = rand_str(rand($comment_length_bounds[0], $comment_length_bounds[1]));
  
  /* Create POST request string from random text and add to cURL object */
  $post_string = "author=" . $rname . "&email=" . $remail . "&comment=" . $rcomment;
  curl_setopt($curl, CURLOPT_POSTFIELDS, $post_string);
  /* Execute the request and print out whether it succeeded or failed. */
  echo(curl_exec($curl) ? "<hr><p><span style='color:green'>Successfully submitted</span>" : "<hr><p><span style='color:red'>Did not successfully submit</span>");
  echo(" POST request <b>" . $post_string . "</b></p><p>to</p><p><b>" . $funct_url . "</b></p>");
}
 
?>
</body>
</html>

Since that's probably unreadable, here's a link to a pretty version:

https://gist.github.com/anonymous/22457214c34564647eea

The code, as is, attempts to generate 10 random comments (Once I get this working, I'll change that number to 1,000,000,000,000 hahah) using random strings for the 3 fields that need to be filled out in a comment, author, email and comment. Those correspond to 3 names of input elements inside a
Code: 
form
element with action wp-comments-post.php and method post.

So the crucial parts of the code are where I try to use a cURL object to issue post requests:

Code: 
$curl = curl_init();

and

Code: 
$funct_url = "[PLAIN]http://feucht.us/blog/wp-comments-post.php";[/PLAIN]

and

Code: 
curl_setopt($curl, CURLOPT_URL, $funct_url);

and

Code: 
curl_setopt($curl, CURLOPT_POSTFIELDS, $post_string);

and

Code: 
curl_exec($curl)

That sequence should do what I want, no? I was trying to following this documentation: http://codular.com/curl-with-php

Any help greatly appreciated.
 
Last edited by a moderator:
Technology news on Phys.org
"my attempt hasn't been working" does not give us much info to analyse. Explain what happens and why you think it is not working.
 
voko said:
"my attempt hasn't been working" does not give us much info to analyse. Explain what happens and why you think it is not working.

curl_exec($curl) is returning true, but the comments are not being posted on his page. I know his comment posting function checks for valid email addresses, but I've tested and seen that anything of the form

string1 + "@" + string2 + ".com"​

works, so I don't think it's a problem with that or with
 
voko said:
"my attempt hasn't been working" does not give us much info to analyse. Explain what happens and why you think it is not working.

curl_exec($curl) is returning true, but the comments are not being posted on his page. I know his comment posting function checks for valid email addresses, but I've tested and seen that anything of the form

string1 + "@" + string2 + ".com"​

works, so I don't think the problem is that or anything related to an error in the type of text I'm submitting.
 
From the example at http://curl.haxx.se/libcurl/php/examples/simplepost.html , it seems that you need to have this: curl_setopt($ch, CURLOPT_POST, 1);

But in fact many things could go wrong, including processing on the other end. To be completely sure that your side is OK, you would need to dump the data sent on the connection and check that it looks like a valid HTTP POST request.
 
Last edited by a moderator:
voko said:
From the example at http://curl.haxx.se/libcurl/php/examples/simplepost.html , it seems that you need to have this: curl_setopt($ch, CURLOPT_POST, 1);

True. I'll fix that.

But in fact many things could go wrong, including processing on the other end. To be completely sure that your side is OK, you would need to dump the data sent on the connection and check that it looks like a valid HTTP POST request.

I'll do that and report back.
 
Last edited by a moderator:
You say curl_exec() returns true indicating success.

What does "success" mean?

Let's say curl successfully runs, successfully contacts the destination webserver, and successfully transmits your message. However, the server is responding with "200 OK" and "Busy, please try again later!" instead of adding the comment. What then does curl_exec() return? How does it know it "failed" or what you consider "failure"?

With web you have to be prepared to receive almost anything from the remote system, and you need to check its response carefully. I would start by looking at the response code the webserver sends you back.
 

Similar threads

Fortran Identify explicit shape spec list in the FORTRAN code
  • · Replies 1 ·
Replies
1
Views
2K