Automated esniper bug report. esniper version 2.31.0 libcurl/7.38.0 OpenSSL/1.0.1t zlib/1.2.8 libidn/1.29 libssh2/1.4.3 librtmp/2.3 Error encountered in function ebayLogin in auction.c line 489 auction = 142133238046, price = 11.33, remain = 0 latency = 0, result = -1, error = 19 buf = 0xcc00e0, size = 14785, read = 0xcc00e0 time = 1475744062, offset = 0 pagename = "Error", pageid = "(null)", srcid = "(null)" specified options or config values: 1 x username(u) = *** 1 x password() = *** 1 x seconds(s) = 5 1 x quantity(q) = 2 1 x (c) = ".cfg" 1 x (f) = "crank.cfg" unknown pageinfo
Further information that will help to fix this issue:
eBay no longer uses the header variable 'pass' to transmit the value to the host.
Instead a random generated number is used for the name of the variable.
Example:
https://signin.ebay.com/ws/eBayISAPI.dll?...pUserId=xxxxx&...&836278938=yyyyyy&pass=&...
Last edit: Michael S. 2016-10-13
HTML source:
Transmission:
https://signin.ebay.com/ws/eBayISAPI.dll?...pUserId=xxxxx&...&1662123377=yyyyyy&pass=&...
I've done some coding on this issue and extract some of the values from the html source. But if I transmit the data back to the login-server I get still
If someone like to investigate this issue, I can attach the changed source of auction.c.
{edit} Actual version of "auction.c" attached to latest posting {/edit}
Last edit: Michael S. 2016-10-11
The parameters bhid, htmid + kdata are not accessible by simply analysing the HTML source. The content will be generated by javascript during typing data into the formular.
Hello.
Hope this will help:
After sending few test requests I found that ebay actually still uses userid and pass fields, it just needs also their "number-named" tweens to be present in the request to their backend: "https://signin.ebay.com/ws/eBayISAPI.dll?co_partnerId=2&siteid=0&UsingSSL=1"
The JS logic of the signin form seems to be not so complicated (yet) - they just copy value of the numeric field to it's display:hidden counterpart (named either userid or pass) before submit. Sooo... it is posible to write code that would scan SignInForm, populate userid and pass and then look for two fields with names /^\d{10}$/. Then we check it's type - if it is text - we populate it with userid, if it is password - ... Finally, we need to pass to ebay backend all the fields found in the form+populated by us. Voila!
At least, I've managed to get ebay WatchList for my account this way using curl. Not yet sure the bidding will work.
Sorry, I'm not-so-good with C, so can not provide patch myself.
Hi Andriy,
scanning for the two "number-named" tweens is not enough. If you take a look to https://sourceforge.net/p/esniper/bugs/discuss/thread/4c63a3a9/940a/attachment/auction.c I've already tried to scan for all relevant fields - without bhid, htmid + kdata:
https://%s/ws/eBayISAPI.dll?MfcISAPICommand=SignInWelcome&userid&%s=%s&pass&%s=%s&keepMeSignInOption=1&mid=%s&srt=%s&usid=%s&rqid=%s&runId2=%s®Url=%s&inputversion=2&sgnBt=Sign+in&bhid&htmid&kdata
It may be help, if you post your comandline call using curl to get the watch-list.
Greeting Michael
Hi.
The process in general is shown below.
Notes:
1. The user agent string may be different, but must be the same in all curl calls.
2. It looks like ebay sets some cookies it then uses to verify auth at very early stage - when we first download signin form. We have to save them from this point.
3. All fields in req.txt can be obtained from SignInForm fields + credentials.
Also, I'll post sample request body (req.txt that actually worked) with my credentials replaced by {userid},{password} (req_example.txt)
Attached the solution to the problem:
Download my auction.c and replace the original file.
Run make (and make install).
{edit} Actual version of "auction.c" attached to latest posting {/edit}
Last edit: Michael S. 2016-10-11
Hey, Michael! Thanks for publishing that solution. It works for me, however it is rather unstable. Approximately once per 5 starts it catches segfault.
It seems that SEGV is caused by using "&szRes" expressions in code. Just replace them with "szRes".
Thanks to Michael for the solution.
Thanks guys. I've got a wrinkle though.
If I remove "&" from "&szRes", I get
auction.c:446:28: error: expected expression before ‘,’ token
memset(, '\0', sizeof(szRes));
error when I run make. With "&" seems inconsistent like you mentioned...
memset(szRes, '\0', sizeof(szRes));
Muchas gracias! I was replacing all 4 instances before.
Last edit: ABK 2016-10-10
There is more reason for SEGV: sometime eBay sign-in form is language dependent ! So neither username, nor password tag detected.
Here is English version
Here's the ebay.de signin form ...
--
PGP Fingerprint: A79F A33F 5B13 BEB7 A51D 274F F99C 3AE2 4BCB 7015
There is no language dependency. The lastest version only searches for HTML-tags and attributes - not for text content.
--
PGP Fingerprint: A79F A33F 5B13 BEB7 A51D 274F F99C 3AE2 4BCB 7015
And this is Russian version
It seems a loop can help: reget LOGIN_1_URL until username and password tags found. Sometimes more than 10 retries required.
A solution to this could be, to put the current fixed strings ">Email or username<" and "Password" into the main configuration file and print out an error message, if the default setting are not found in the login page source. Or a better strategy to find the "number-named" fields for userid and password. If you have problems with the current version, just put the required string (e.g. ">Адрес эл. почты или логин<", "Продолжить", ...) into headerattrs[];
I've changed the strategy to find the "number-named" fields.
If you run with debug option "-d" you will see in the log file esniper.xxxxxx.log, if the lookup for userid and password was successful:
I'm looking forward for your feedback.
{edit} Actual version of "auction.c" attached to latest posting {/edit}
Last edit: Michael S. 2016-10-12
Yes, now it works both with English and Russian versions of sign-in page.
Thank you!
I've now merged the two functions 'findattr' and 'getvals' into a new function 'signinFormSearch'. 'findattr' and 'getvals' are now just a wrapper for two similar kinds of search. But: The code is now not easy to read for people who not "every day C-Coders" ;-)
{edit} Actual version of "auction.c" attached to latest posting {/edit}
Last edit: Michael S. 2016-10-12
And now the final contribution including error handling, if something went wrong with the signup form.
Thanks to Andriy and Sergei for their support !
Last edit: Michael S. 2016-10-12