12306 third-party software testing research, 12306 third-party testing

12306 third-party software testing research, 12306 third-party testing

Reprinted please indicate the source: http://blog.csdn.net/tang9140/article/details/42869269

First of all, I declare that this article is purely a technical study of personal preferences. Please do not use it for illegal operations to profit from illegitimate interests, you know.

Problem cause

On the 17th and 18th of December 2014, a large number of ticket flushing software against 12306 experienced illegal requests or 'use third-party ticket purchasing soft' prompts, and the verification code was incorrectly identified. Later, we learned that in order to curb and prevent malicious ticketing software and plug-ins, we can identify the differences between the ticketing software and the user's ticketing behavior.

So the question is... I'm curious about what means they do.

In addition, I have previously worked on the JAVA version of the ticket grabbing software, only for learning purposes, no other purpose. After I added a third-party software check in 12306, my ticket flushing software also showed an 'invalid request' prompt, and I couldn't even log on. This led to my thinking.

What is the essence of the ticket grabbing software?

I personally think that the ticket grabbing software is nothing more than a robot (in fact, a robot is a software, here it is just an image) instead of a real person to buy a ticket. As we all know, machines respond quickly. Therefore, the premise of simultaneously competing is that machines are faster than real people. This is why scalpers can buy tickets, but you cannot buy tickets. Continue to think about why robots can buy tickets instead of physical users? This raises the next question.

From a technical point of view, what is actually happening when a user buys a ticket in a browser?

As we all know, website 12306 provides WEB Services Based on the B/S architecture and is based on the http protocol. The http protocol is a typical request-response protocol and a stateless protocol. In fact, all the operations performed by the user on the browser are ultimately sent to the server based on the browser. After receiving the request, the server performs the corresponding business processing and returns the response to the browser, the browser is displayed to the user. More specifically, the browser receives various user events (such as mouse-click events and keyboard-input events) and then sends an http request to the server in the background, at the same time, the browser will receive the response content from the server and display it as an HTML page.

More general, as long as the server receives a request that complies with the HTTP protocol, it will be processed, it does not care whether the request is sent through the browser or the ticket flushing software (the browser itself is also a software, and generally the operating system comes with a browser ). From the above analysis, we can see that as long as the third-party software completely simulates the browser to send HTTP requests that meet the specifications, the WEB server will treat them as legal requests and process them. The problem arises again. Why does the ticket flushing software prompt "illegal requests"? Is there a conflict with your analysis just now? This is actually not a conflict. Please note that what I just said is "completely simulate a browser". In the past, the ticket grabbing software as a learning version did not send HTTP requests in strict browser mode, this results in 12306 being able to detect illegal requests through some technical means. This leads to our ultimate problem.

12306 how does one perform technical detection and distinguish normal requests from illegal requests?

Before answering this question, you should first understand the HTTP protocol. HTTP request messages are divided into four parts: Request lines, request headers, blank lines, and optional request message bodies. There are eight request methods, the most common of which are GET requests and POST requests. GET requests include parameters after URLs (without message bodies), while POST requests include parameters in message bodies. The request header may contain Cookie information. Back to the question, 12306 checks illegal requests in three aspects: Request Header, Cookie, and request parameters.

12306 Detection:

1. Request Header

When simulating HTTP requests, pay attention to the order of request headers. After self-testing, if the 'cookie request header' of the login request is placed behind the 'Connection request header', an 'invalid request' message is displayed'

2. Cookie

The Cookie request header should also pay attention to the order. First, JSESSIONID (other cookies in the middle), then BIGipServerotn, current_captcha_type

3. Request Parameters

Or the order, please follow the order in which the browser sends the Request Parameters for sending. In addition, 12306 added dynamic key verification when logging on and submitting orders. You need to first obtain the url of the dynamic js file, then access the content of the js file and extract the key value, use the encryption algorithm in the js file to encrypt the key and then form the corresponding value.

Through the above three aspects of detection, we can find some illegal requests. Of course, there are third-party software detection, and there is also anti-detection. Several hours after the launch of this series of third-party software testing, monitoring, and replacement verification codes (I believe there are three different verification codes) in 12306, some ticket flushing software cracked. In fact, I think the so-called third-party software testing is completely temporary, just like the anti-plug-in detection in the game. In the view of powerful plug-in developers, it is completely vulnerable. No matter how many verifications you have added, no matter how you replace the verification rules, they will be quickly cracked. I think that, instead of spending time on plug-ins, it is better to provide plug-ins internally and learn from the practices of the game. In 12306, it is better to provide the one-click ticketing function internally without the need to choose a number of times, select a passenger, submit the order verification code, and confirm again. Directly grab tickets with one click according to the user's preset rules (the internal one-click ticketing function must be higher than that of the external ticketing software). This is more practical. What do you think. Supported likes

The code word is not easy. The source is http://blog.csdn.net/tang9140.

The JAVA implementation code for the KEY encryption algorithm is attached. If you are interested, you can check the code.

Public class DynamicJsUtil {private static String keyStr = "inline ++/="; static class Base32 {private static int delta = 0x9E3779B8; public static String longArrayToString (int [] data, boolean includeLength) {int length = data. length; int n = (length-1) <2; if (delayed delength) {int m = data [length-1]; if (m <n-3) | (m> n) return Null; n = m;} StringBuilder sb = new StringBuilder (""); for (int I = 0; I <length; I ++) {int i0 = data [I] & 0xff; int i8 = data [I] >>> 8 & 0xff; int i16 = data [I] >>> 16 & 0xff; int i24 = data [I] >>> 24 & 0xff; if (i0! = 0) sb. append (char) i0); if (i8! = 0) sb. append (char) i8); if (i16! = 0) sb. append (char) i16); if (i24! = 0) sb. append (char) i24);} String result; if (delayed delength) {result = sb. substring (0, n);} else result = sb. toString (); return result;} public static int [] stringToLongArray (String str, boolean includeLength) {int length = str. length (); int arrsize = length % 4 = 0? Length/4: length/4 + 1; int [] result = new int [arrsize]; for (int I = 0; I <length; I + = 4) {if (I + 4> length) {int char8 = I + 1> = length? 0: str. charAt (I + 1) <8; int char16 = I + 2> = length? 0: str. charAt (I + 1) <16; int char24 = I + 3> = length? 0: str. charAt (I + 1) <24; result [I> 2] = str. charAt (I) | char8 | char16 | char24;} else result [I> 2] = str. charAt (I) | str. charAt (I + 1) <8 | str. charAt (I + 2) <16 | str. charAt (I + 3) <24;} if (includeLength) {int [] newArr = new int [arrsize + 1]; System. arraycopy (result, 0, newArr, 0, arrsize); newArr [arrsize] = length; result = newArr;} return result;} public static String encry Pt (String str, String key) {if (str = "") {return "";} int [] v = stringToLongArray (str, true ); int [] k = stringToLongArray (key, false); if (k. length <4) {int [] newArr = new int [4]; System. arraycopy (k, 0, newArr, 0, k. length); k = newArr;} int n = v. length-1; int z = v [n], y = v [0]; int mx, e, p, sum = 0; int q = 6 + 52/(n + 1); while (0 <q --) {sum = sum + delta & 0 xffffffff; e = sum>> 2 & 3; for (p = 0; p <n; p ++) {y = v [p + 1]; mx = (z >>> 5 ^ y <2) + (y >>> 3 ^ z <4) ^ (sum ^ y) + (k [p & 3 ^ e] ^ z); z = v [p] = v [p] + mx & 0 xffffffff;} y = v [0]; mx = (z >>> 5 ^ y <2) + (y >>> 3 ^ z <4) ^ (sum ^ y) + (k [p & 3 ^ e] ^ z); z = v [n] = v [n] + mx & 0 xffffffff;} return longArrayToString (v, false) ;};} public static String encode32 (String input) {input = escape (input); StringBuilder output = new StringBuilder (); int length = input. length (); int chr1, chr2, chr3; int enc1, enc2, enc3, enc4; int I = 0; do {chr1 = input. charAt (I ++); enc1 = chr1> 2; output. append (keyStr. charAt (enc1); if (I <length) {chr2 = input. charAt (I ++); enc2 = (chr1 & 3) <4) | (chr2> 4); output. append (keyStr. charAt (enc2); if (I <length) {chr3 = input. charAt (I ++); enc3 = (chr2 & 15) <2) | (chr3> 6); enc4 = chr3 & 63; output. append (keyStr. charAt (enc3 )). append (keyStr. charAt (enc4);} else {enc3 = (chr2 & 15) <2) | (0> 6); output. append (keyStr. charAt (enc3 )). append (keyStr. charAt (64) ;}} else {enc2 = (chr1 & 3) <4) | (0> 4); output. append (keyStr. charAt (enc2 )). append (keyStr. charAt (64 )). append (keyStr. charAt (64) ;}}while (I <length); return output. toString ();} Static String bin216 (String s) {s + = ""; String output = ""; int l = s. length (); for (int I = 0; I <l; I ++) {char c = s. charAt (I); String temp = Integer. toString (c, 16); output + = temp. length () <2? "0" + temp: temp;} return output;} public static String escape (String src) {char j; StringBuffer tmp = new StringBuffer (src. length () * 2); for (int I = 0; I <src. length (); I ++) {j = src. charAt (I); if (Character. isDigit (j) | Character. isLowerCase (j) | Character. isUpperCase (j) tmp. append (j); else if (j <256) {if (j = '*' | j = '@' | j = '-' | j = '_' | j = '+ '| j = '. '| j ='/') {tmp. append (j);} else {tmp. append ("%"); if (j <16) tmp. append ("0"); tmp. append (Integer. toString (j, 16 ). toUpperCase () ;}} else {tmp. append ("% u"); tmp. append (Integer. toString (j, 16);} return tmp. toString ();}/*** get the value of dynamic encryption * @ param key * @ return */public static String getRandomParamValue (String key) {return encode32 (DynamicJsUtil. bin216 (Base32.encrypt ("1111", key )));}}