PHP Using PHP and cURL to submit POST requests to a website

  • Thread starter Thread starter Jamin2112
  • Start date Start date
  • Tags Tags
    Curl Php
AI Thread Summary
The discussion revolves around a PHP script designed to spam a friend's website with comments, with the user seeking assistance due to the script not functioning as intended. The script utilizes cURL to post random comments to a specified URL but fails to display the comments on the target site despite cURL indicating successful execution. Key points include the importance of ensuring that the POST request is correctly configured, including setting the CURLOPT_POST option to true. The user acknowledges that the server may have additional validation checks that could prevent the comments from being accepted, despite the script generating seemingly valid email addresses and comment strings. Suggestions include using tools like Fiddler to inspect the HTTP requests and responses to diagnose the issue further, emphasizing the need to analyze the server's response codes to understand why the comments are not being posted.
Jamin2112
Messages
973
Reaction score
12
Here's the setup:

I'm trying to write a PHP script to spam my buddy's website. He has given me full permission to try and do so. I have a very rudimentary understanding of HTTP protocols and am probably doing something wrong, because my attempt hasn't been working.

Here's my PHP script:

Code: 
<!DOCTYPE html>
<html>
<head>
<title>attack script</title>
</head>
<body>
<?php
 
/*  ------------ Functions needed for attack  --------------------- */
 
function rand_str($len)
{
    $str = "";
    while ($len-- > 0)
    {
        $val = rand(0,1) ? rand(ord("A"),ord("Z")) : rand(ord("a"),ord("z"));
        $str .= chr($val); 
    }
    return $str;
}
 
/*  ----------------- Misc. preprocessing  -------------------- */
date_default_timezone_set('America/Los_Angeles');
 
 
/*  ----------------- Initialize new cURL session -------------------- */
 
$curl = curl_init();
$page_url = "[PLAIN]http://feucht.us/blog";[/PLAIN] 
$funct_url = "[PLAIN]http://feucht.us/blog/wp-comments-post.php";[/PLAIN] 
curl_setopt($curl, CURLOPT_URL, $funct_url);
 
 
/*  ---------------------- Begin attack  ----------------------------- */
 
echo("<h1>Comment spam run on <i>". $page_url . "</i> on " . date("d-m-Y h:i:s") . "</h1>");
echo("<h3><b>RESULTS:</b></h3>");
$num_coms = 10; /* # of comments to post */
$wait_period = 1; /* # of seconds to wait between posting each comment */
$name_length_bounds = array(5,20); /* min and max length of random name to be generated */
$alias_length_bounds = array(8,15); /* min and max length of random email prefix to be generated */
$email_length_bounds = array(3,10); /* min and max length of random email provider to be generated */
$comment_length_bounds = array(5, 40); /* min and max length of random comment to be generated */
while ($num_coms-- > 0)
{
  /* Pause between the posting of comments: */
  sleep($wait_period);
  
  /* Initialize random names, email addresses and comments: */ 
  $rname = rand_str(rand($name_length_bounds[0], $name_length_bounds[1]));  
  $remail = rand_str(rand($alias_length_bounds[0], $alias_length_bounds[1])) . "@" . rand_str(rand($email_length_bounds[0], $email_length_bounds[1])) . ".com";
  $rcomment = rand_str(rand($comment_length_bounds[0], $comment_length_bounds[1]));
  
  /* Create POST request string from random text and add to cURL object */
  $post_string = "author=" . $rname . "&email=" . $remail . "&comment=" . $rcomment;
  curl_setopt($curl, CURLOPT_POSTFIELDS, $post_string);
  /* Execute the request and print out whether it succeeded or failed. */
  echo(curl_exec($curl) ? "<hr><p><span style='color:green'>Successfully submitted</span>" : "<hr><p><span style='color:red'>Did not successfully submit</span>");
  echo(" POST request <b>" . $post_string . "</b></p><p>to</p><p><b>" . $funct_url . "</b></p>");
}
 
?>
</body>
</html>

Since that's probably unreadable, here's a link to a pretty version:

https://gist.github.com/anonymous/22457214c34564647eea

The code, as is, attempts to generate 10 random comments (Once I get this working, I'll change that number to 1,000,000,000,000 hahah) using random strings for the 3 fields that need to be filled out in a comment, author, email and comment. Those correspond to 3 names of input elements inside a
Code: 
form
element with action wp-comments-post.php and method post.

So the crucial parts of the code are where I try to use a cURL object to issue post requests:

Code: 
$curl = curl_init();

and

Code: 
$funct_url = "[PLAIN]http://feucht.us/blog/wp-comments-post.php";[/PLAIN]

and

Code: 
curl_setopt($curl, CURLOPT_URL, $funct_url);

and

Code: 
curl_setopt($curl, CURLOPT_POSTFIELDS, $post_string);

and

Code: 
curl_exec($curl)

That sequence should do what I want, no? I was trying to following this documentation: http://codular.com/curl-with-php

Any help greatly appreciated.
 
Last edited by a moderator:
Technology news on Phys.org
"my attempt hasn't been working" does not give us much info to analyse. Explain what happens and why you think it is not working.
 
voko said:
"my attempt hasn't been working" does not give us much info to analyse. Explain what happens and why you think it is not working.

curl_exec($curl) is returning true, but the comments are not being posted on his page. I know his comment posting function checks for valid email addresses, but I've tested and seen that anything of the form

string1 + "@" + string2 + ".com"​

works, so I don't think it's a problem with that or with
 
voko said:
"my attempt hasn't been working" does not give us much info to analyse. Explain what happens and why you think it is not working.

curl_exec($curl) is returning true, but the comments are not being posted on his page. I know his comment posting function checks for valid email addresses, but I've tested and seen that anything of the form

string1 + "@" + string2 + ".com"​

works, so I don't think the problem is that or anything related to an error in the type of text I'm submitting.
 
From the example at http://curl.haxx.se/libcurl/php/examples/simplepost.html , it seems that you need to have this: curl_setopt($ch, CURLOPT_POST, 1);

But in fact many things could go wrong, including processing on the other end. To be completely sure that your side is OK, you would need to dump the data sent on the connection and check that it looks like a valid HTTP POST request.
 
Last edited by a moderator:
voko said:
From the example at http://curl.haxx.se/libcurl/php/examples/simplepost.html , it seems that you need to have this: curl_setopt($ch, CURLOPT_POST, 1);

True. I'll fix that.

But in fact many things could go wrong, including processing on the other end. To be completely sure that your side is OK, you would need to dump the data sent on the connection and check that it looks like a valid HTTP POST request.

I'll do that and report back.
 
Last edited by a moderator:
You say curl_exec() returns true indicating success.

What does "success" mean?

Let's say curl successfully runs, successfully contacts the destination webserver, and successfully transmits your message. However, the server is responding with "200 OK" and "Busy, please try again later!" instead of adding the comment. What then does curl_exec() return? How does it know it "failed" or what you consider "failure"?

With web you have to be prepared to receive almost anything from the remote system, and you need to check its response carefully. I would start by looking at the response code the webserver sends you back.
 

Similar threads

Fortran Identify explicit shape spec list in the FORTRAN code
Replies
1
Views
2K

Hot Threads

Recent Insights

Back
Top