string topost = $"<?xml version='1.0' encoding='UTF-8' standalone='yes' ?><requestservicegateway><userid>{input.USERNAME}</userid><password>{input.PASSWORD}</password>
Should I put that in the POST box or how should I do it?
First of all you are missing double quotes and semicolon at the end
string topost = $"<?xml version='1.0' encoding='UTF-8' standalone='yes' ?><requestservicegateway><userid>{input.USERNAME}</userid><password>{input.PASSWORD}</password>";
Then you go to the http request block, in the “Content” field, switch it to variable mode (click the button next to it until the background turns dark blue) and you type
topost
inside it, which is the name of the variable where the string is stored. It will send that exact string.
1 Like
Thanks Ruri. I’m stuck though. There’s a variable that needs to be converted to MD5. Does Openbullet2 have that feature?
Yes use the Hash String block
Just to be clear, do I post this
string topost = $"<?xml version='1.0' encoding='UTF-8' standalone='yes' ?><requestservicegateway><userid>{input.USERNAME}</userid><password>{input.PASSWORD}</password>";
In the content box in a POST request?
No mate. Click on the LoliCode section in the menu, you will see somewhere there is your block with the URL and everything in the script.
Before the block, put that line, for example
string topost = $"<?xml version='1.0' encoding='UTF-8' standalone='yes' ?><requestservicegateway><userid>{input.USERNAME}</userid><password>{input.PASSWORD}</password>";
BLOCK:HttpRequest
etc...
Then go back to Stacker by clicking on Stacker in the menu.
And then you can write just the word topost EXACTLY like that in the content box, while making sure the background of the box is dark blue. If it’s dark green, write <topost> instead or change it to blue by using the button next to it.
Was I clear enough?
1 Like
It’s giving me this [IDLE] (3,232): error CS1073: Unexpected token '.0
Did you read my last post carefully? Because if you have that error you didn’t
I did.
string topost = $"<?xml version='1.0' encoding='UTF-8' standalone='yes' ?><requestservicegateway><userid>{input.USERNAME}</userid><password>{pass}</password><language>{en_US}</language><service>{1}</service><client><c>{0}</c><ver>{2.2.0.0}</ver></client><os><name>{Android}</name><ver>{5.1.1}</ver></os><time>{1626658668014}</time></requestservicegateway>";
BLOCK:HttpRequest
url = "linkhere"
method = POST
customHeaders = {("X-Omni-Parameter", "sid=10046"), ("x-asc-sid", "10046"), ("x-asc-os-version", "5.1.1"), ("x-asc-sid-version", "3.6.1.0"), ("x-asc-device-name", "c2hhbXU="), ("x-asc-device-maker", "samsung"), ("x-asc-device-model", "SM-N976N")}
TYPE:STANDARD
$"<topost>"
"text/xml"
ENDBLOCK
Found the problem. The problem is that only variables should be inside {curly braces} in the XML, anything that is constant and not changing should not have them, otherwise you get the error.
So in your case change the line to this one
string topost = $"<?xml version='1.0' encoding='UTF-8' standalone='yes' ?><requestservicegateway><userid>{input.USERNAME}</userid><password>{pass}</password><language>en_US</language><service>1</service><client><c>0</c><ver>2.2.0.0</ver></client><os><name>Android</name><ver>5.1.1</ver></os><time>1626658668014</time></requestservicegateway>";
1 Like
Thank you very much. It’s working. The problem is, I’m not getting the results I’m after.
Does Openbullet2 support text/xml content type?
Anything you see in the log of the request is sent exactly as you see it, I log directly the stuff that is sent on the tcp connection so it’s like using fiddler. Compare the request you see in the log with the one you see when sniffing from the phone and find the differences. And yes, it does support every content-type of course.
Maybe make sure the MD5 is correct, make sure you used the Hash String block and not just Hash as that one operates on byte arrays and not strings.
Here’s the whole code:
BLOCK:HashString
input = $"<input.PASSWORD>"
=> VAR @pass
ENDBLOCK
string topost = $"<?xml version='1.0' encoding='UTF-8' standalone='yes' ?><requestservicegateway><userid>{input.USERNAME}</userid><password>{pass}</password><language>en_US</language><service>1</service><client><c>0</c><ver>2.2.0.0</ver></client><os><name>Android</name><ver>5.1.1</ver></os><time>1626658668014</time></requestservicegateway>";
BLOCK:HttpRequest
url = "redacte"
method = POST
customHeaders = {("X-Omni-Parameter", "sid=10046"), ("x-asc-sid", "10046"), ("x-asc-os-version", "5.1.1"), ("x-asc-sid-version", "3.6.1.0"), ("x-asc-device-name", "c2hhbXU="), ("x-asc-device-maker", "samsung"), ("x-asc-device-model", "SM-N976N"), ("User-Agent", "Dalvik/2.1.0 (Linux; U; Android 5.1.1; SM-N976N Build/QP1A.190711.020)"), ("Host", "redacted"), ("Connection", "close"), ("Accept-Encoding", "gzip, deflate"), ("Content-Length", "347")}
TYPE:STANDARD
@topost
"text/xml"
ENDBLOCK
Results I get
Response code: 200
Received Headers:
Transfer-Encoding: chunked
Date: Mon, 19 Jul 2021 02:24:57 GMT
Connection: close
Content-Length: 0
Received Cookies:
Received Payload:
What I expect:
200
Date: Mon, 19 Jul 2021 02:24:36 GMT
Connection: close
Content-Length: 145
<?xml version="1.0" encoding="utf-8"?>
<requestservicegateway>
<status>2</status>
<time>1626661477711</time>
</requestservicegateway>
1 Like
I don’t know, it looks good from here, can you compare the two requests as I told you to do? The sniffed one and the one you see in the log (request not response).
BURP
POST redacted HTTP/1.1
Authorization: signature_method="HMAC-SHA1",timestamp="1626661588349",nonce="ec10e527a2274b78a4c63b1fc01c4b95",signature="jBP8ZTssyg6FlOowXX8Hwf5k1uA%3D"
extension-pragma: sid=10046;c=0;v=3.6.1.0;EEE_MANU=Android;EEE_PROD=d2que;OS_VER=22;
Cookie: sid=10046;c=0;v=3.6.1.0;EEE_MANU=Android;EEE_PROD=d2que;OS_VER=22;
Content-type: text/xml; charset=UTF-8
X-Omni-Parameter: sid=10046
x-asc-sid: 10046
x-asc-os-version: 5.1.1
x-asc-sid-version: 3.6.1.0
x-asc-device-name: c2hhbXU=
x-asc-device-maker: samsung
x-asc-device-model: SM-N976N
User-Agent: Dalvik/2.1.0 (Linux; U; Android 5.1.1; SM-N976N Build/QP1A.190711.020)
Host: redacted
Connection: close
Accept-Encoding: gzip, deflate
Content-Length: 363
<?xml version='1.0' encoding='UTF-8' standalone='yes' ?><requestservicegateway><userid>{email}</userid><password>redacted</password><language>en_US</language><service>1</service><client><c>0</c><ver>2.2.0.0</ver></client><os><name>Android</name><ver>5.1.1</ver></os><time>1626661588349</time></requestservicegateway>
OB2
POST redacted HTTP/1.1
Host: redacted
Connection: Close
Content-type: text/xml; charset=UTF-8
X-Omni-Parameter: sid=10046
x-asc-sid: 10046
x-asc-os-version: 5.1.1
x-asc-sid-version: 3.6.1.0
x-asc-device-name: c2hhbXU=
x-asc-device-maker: samsung
x-asc-device-model: SM-N976N
User-Agent: Dalvik/2.1.0 (Linux; U; Android 5.1.1; SM-N976N Build/QP1A.190711.020)
Accept-Encoding: gzip, deflate
Content-Length: 363
<?xml version='1.0' encoding='UTF-8' standalone='yes' ?><requestservicegateway><userid>emailredacted</userid><password>redacted</password><language>en_US</language><service>1</service><client><c>0</c><ver>2.2.0.0</ver></client><os><name>Android</name><ver>5.1.1</ver></os><time>1626658668014</time></requestservicegateway>
As you can see you’re missing some headers (mainly Authorization). You need to generate that header. It’s an HMAC-SHA1 signature so OB2 can do this pretty easily, you just have to find out the signing key (it’s somewhere in the code of the app), what is being signed and if the nonce is added at the start or end of the message.