Facebook bot

[mfasoccer]

Hey guys I'm writing a facebook bot program. Currently I am stuck at
the login screen. My approach was to take a password and convert it to
md5 along with the challenge parameter that you will notice if you go
to facebook's website. To give a better idea of this I'll show you
their login form:

<form method="post" name="loginform" action="https://
login.facebook.com/login.php" onsubmit="quicklogin();"><input
type="hidden" name="challenge"
value="77950fc560a9109fe0b61bb70753cec5">
<input type="hidden" name="md5pass">
<label for="email">Email:</label>
<input type="hidden" name="noerror" value="1" />
<input class="inputtext" type="text" name="email"
value="(e-mail address removed)" id="email" size="20" />
<label for="pass">Password:</label>
<input class="inputtext" type="password" name="pass" id="pass"
size="20" />
<input type="submit" value="Login" name="doquicklogin"
id="doquicklogin" onclick="this.disabled=true; this.form.submit();"
class="inputsubmit"/></form>

And what I did was write a program to send the following:
challenge=3b409cf0906ebb3007e8dd1cac3343ae&md5pass=7ca980aefc6964c5a125e0c637194ca3&noerror=1&email=mbinder09%40choate.edu&pass=&doquicklogin=Login
And I am sending this data to: "https://login.facebook.com/login.php"
just like the action of the form suggests. Unfortunately this approach
does not work properly. I even cleared the password field if you note
I sent '&password=' which is required by the facebook JavaScript
method:
function hash(form, login_url) {
document.cookie = "test_cookie=1;domain=.facebook.com";
if (valid_js()) {
var challenge = form.challenge.value;
var hash2 = MD5(form.pass.value) + challenge;
var hash;
if (form.pass.value) {
hash = MD5(hash2);
} else {
hash = "";
}
form.md5pass.value = hash;
form.pass.value = "";
}
return true;
}

note: valid_js() just checks to make sure that the agent is proper
which mine is. Im worried about the document.cookie thing..could that
be it?

Any help is welcome! I am very new to web applications so don't assume
that your points will be repetitive given my lack of knowledge. Thanks!

 

[Andrew Thompson]

Hey guys I'm writing a facebook bot program.

What a coincidence, there's somebody over
on c.l.j.help trying to do the same thing!
Oh.. that's you. Please refrain from
multi-posting.
<http://www.physci.org/codes/javafaq.html#xpost>

As an aside, <http://www.facebook.com/terms.php>
under "Proprietary Rights in Site Content;
Limited License" states "..Such license is subject
to these Terms of Use and does not include use of
any data mining, robots or similar data gathering
or extraction methods. .."

(X-post to c.l.j.p./h., w/ f-u to c.l.j.p. only)

Andrew T.

 

[mfasoccer]

What a coincidence, there's somebody over
on c.l.j.help trying to do the same thing!
Oh.. that's you. Please refrain from
multi-posting.
<http://www.physci.org/codes/javafaq.html#xpost>

As an aside, <http://www.facebook.com/terms.php>
under "Proprietary Rights in Site Content;
Limited License" states "..Such license is subject
to these Terms of Use and does not include use of
any data mining, robots or similar data gathering
or extraction methods. .."

(X-post to c.l.j.p./h., w/ f-u to c.l.j.p. only)

Andrew T.

Right, I believe you contradict yourself, given that you double-posted
this message! Okay, I'm sorry I broke the rules, will not happen
again!

Anyhow, I'm still wondering what I'm doing wrong here. Anyone know?

 

[Andrew Thompson]

...
Right, I believe you contradict yourself, given that you double-posted
this message! ...

It is known as a cross-post, or x-post, as was explained
in the link* and noted in the final (very abbreviated) line
of the post.

* Please read the information at the other end of the link.

--
Andrew Thompson
http://www.athompson.info/andrew/

Message posted via JavaKB.com
http://www.javakb.com/Uwe/Forums.aspx/java-general/200705/1

 

[mfasoccer]

It is known as a cross-post, or x-post, as was explained
in the link* and noted in the final (very abbreviated) line
of the post.

* Please read the information at the other end of the link.

Much thanks, and again I am sorry I double posted.

 

[Lew]

Much thanks, and again I am sorry I double posted.

"Double posted" is not the issue. "Multiposted" is the issue. You could've
"crossposted" to reach multiple groups and that would allow everyone to follow
all the answers instead of just some of them.

The term "double posted" is not used.

 

[mfasoccer]

Hey guys I'm writing a facebook bot program. Currently I am stuck at
the login screen. My approach was to take a password and convert it to
md5 along with the challenge parameter that you will notice if you go
to facebook's website. To give a better idea of this I'll show you
their login form:

<form method="post" name="loginform" action="https://
login.facebook.com/login.php" onsubmit="quicklogin();"><input
type="hidden" name="challenge"
value="77950fc560a9109fe0b61bb70753cec5">
<input type="hidden" name="md5pass">
<label for="email">Email:</label>
<input type="hidden" name="noerror" value="1" />
<input class="inputtext" type="text" name="email"
value="(e-mail address removed)" id="email" size="20" />
<label for="pass">Password:</label>
<input class="inputtext" type="password" name="pass" id="pass"
size="20" />
<input type="submit" value="Login" name="doquicklogin"
id="doquicklogin" onclick="this.disabled=true; this.form.submit();"
class="inputsubmit"/></form>

And what I did was write a program to send the following:
challenge=3b409cf0906ebb3007e8dd1cac3343ae&md5pass=7ca980aefc6964c5a125e0c637194ca3&noerror=1&email=mbinder09%40choate.edu&pass=&doquicklogin=Login
And I am sending this data to: "https://login.facebook.com/login.php"
just like the action of the form suggests. Unfortunately this approach
does not work properly. I even cleared the password field if you note
I sent '&password=' which is required by the facebook JavaScript
method:
function hash(form, login_url) {
document.cookie = "test_cookie=1;domain=.facebook.com";
if (valid_js()) {
var challenge = form.challenge.value;
var hash2 = MD5(form.pass.value) + challenge;
var hash;
if (form.pass.value) {
hash = MD5(hash2);
} else {
hash = "";
}
form.md5pass.value = hash;
form.pass.value = "";
}
return true;
}

note: valid_js() just checks to make sure that the agent is proper
which mine is. Im worried about the document.cookie thing..could that
be it?

Any help is welcome! I am very new to web applications so don't assume
that your points will be repetitive given my lack of knowledge. Thanks!

I think this is related to cookies. When I tell my bot to 'try and
deal with cookies' it will just freeze once it submits the form. If i
dont tell it to deal with cookies, facebook rejects my post
immediatly. Anyone know why this is?

 

[Twisted]

I think this is related to cookies. When I tell my bot to 'try and
deal with cookies' it will just freeze once it submits the form. If i
dont tell it to deal with cookies, facebook rejects my post
immediatly. Anyone know why this is?

Maybe because you're an evil spammer?

It's one thing to use automation (within reason -- no excessive
bandwidth use) to make use of a site more convenient, or for search or
similar purposes (where existing search is inadequate, say).

Automated submissions of comment postings and the like is another
matter, and generally means you're spamming. Likewise automated
account registrations and the like.

(There are exceptions. Wikipedia lets users run bots with tight
restrictions, to detect and revert obvious vandalism for instance, or
to snap redirects, for example; this involves bots that automate
editing or submitting content and not just browsing.)

 

[Oliver Wong]

(e-mail address removed) wrote: [something about a web bot]

I think this is related to cookies. When I tell my bot to 'try and
deal with cookies' it will just freeze once it submits the form. If i
dont tell it to deal with cookies, facebook rejects my post
immediatly. Anyone know why this is?

I suspect it'd be easier to answer if you posted an SSCCE. 'try and
deal with cookies' doesn't compile with my Java compiler.

- Oliver

 

[mfasoccer]

(e-mail address removed) wrote:

[something about a web bot]

I think this is related to cookies. When I tell my bot to 'try and
deal with cookies' it will just freeze once it submits the form. If i
dont tell it to deal with cookies, facebook rejects my post
immediatly. Anyone know why this is?

I suspect it'd be easier to answer if you posted an SSCCE. 'try and
deal with cookies' doesn't compile with my Java compiler.

- Oliver

public void run()
{

try{
//part one
URL url = new URL("http://www.facebook.com/login.php");
HttpURLConnection conn = (HttpURLConnection)url.openConnection();
int c;
conn.setDoInput(true);
conn.setRequestMethod("GET");
conn.setDoOutput(true);
conn.setRequestProperty("User-Agent", "Mozilla/4.0 (compatible; MSIE
7.0b; Windows NT 6.0)");
conn.connect();
System.out.println(conn.getContent());
System.out.println(conn.getResponseMessage());
System.out.println(conn.getHeaderField(0));
InputStream is= conn.getInputStream();
String output = "";
int i = 1;
do
{
i++;
char x;
c = is.read();
x = (char)c;
if (c!=1)
output+= x;
} while (c!=1 && i < 5000);
System.out.println(output);
data = output;

System.out.println(getChallenge());
conn.disconnect();

//part two
url = new URL("http://facebook.com/login.php");
conn = (HttpURLConnection)url.openConnection();
conn.setRequestMethod("POST");
conn.setRequestProperty("Cookie", "test_cookie=1");
conn.setRequestProperty("Connection-Type", "application/x-www-form-
urlencoded");
conn.setRequestProperty("Refferer", "http://facebook.com/
login.php");

@SuppressWarnings("unused")
String email = URLEncoder.encode("email@host");
String hashedpw = getMD5Hash("mypass");
String challenge = getChallenge();
String md5pw = getMD5Hash(hashedpw + challenge);
String nextt = URLEncoder.encode("http://facebook.com/home.php");
System.out.println("aok");
String post = "challenge=" + challenge + "&noerror=1&next=" + nextt
+ "&login=Login&email=" + email + "&pass=&md5pass=" + md5pw;

PrintWriter pout = new
PrintWriter(new
OutputStreamWriter(conn.getOutputStream(),"8859_1"),true);
pout.print(post);
System.out.println("whattt");
pout.flush();
System.out.println(conn.getResponseMessage());
InputStream its = conn.getInputStream();
i = 0;
do
{
i++;
char x;
c = its.read();
x = (char)c;
if (c!=-1)System.out.print(x);
} while (c!=-1 && i < 5000);



} catch(Exception e){}

}

 

[Oliver Wong]

[...]

do
{
i++;
char x;
c = is.read();
x = (char)c;
if (c!=1)
output+= x;
} while (c!=1 && i < 5000);

[...]

Perhaps you mean to compare against -1 instead of 1?

[...]

String hashedpw = getMD5Hash("mypass");
String challenge = getChallenge();
String md5pw = getMD5Hash(hashedpw + challenge);

Since you didn't provide the getChallenge or getMD5Hash method, it's
difficult to help you. I asked you for an SSCCE, not a code snippet.

String nextt = URLEncoder.encode("http://facebook.com/home.php");
System.out.println("aok");
String post = "challenge=" + challenge + "&noerror=1&next=" + nextt
+ "&login=Login&email=" + email + "&pass=&md5pass=" + md5pw;

PrintWriter pout = new
PrintWriter(new
OutputStreamWriter(conn.getOutputStream(),"8859_1"),true);

You cannot write to a URLConnection if doOutput=false - call
setDoOutput(true)

[...]

} catch(Exception e){}

When debugging a problem, don't silently swallow exceptions.

- Oliver

 

[Lew]

When debugging a problem, don't silently swallow exceptions.

When running in production, don't silently swallow exceptions either.

Log them using a logging library (java.util.logging, org.apache,log4j); set
the output to the appropriate logging level (e.g., "DEBUG") to avoid runtime
overhead when it isn't necessary.