About voting system Brush ticket Form principle (breakthrough IP limit Brush ticket PHP version)

About voting system Brush ticket Mode principle (breakthrough IP limit Brush ticket PHP version)

First of all: In fact, is not a breakthrough in IP restrictions, because in fact, this limit is on the server side, the client in the cool, also can not break through. It's just that you can always swipe multiple tickets.

A friend suddenly sent a website, let me help her vote. When I was a bcause, I helped her to vote. By the way, the site was analyzed, and the polling system found that the site had IP restrictions, but the vote was an AJAX request. Then the way out.

Many voting PC sites rely on restricted IP to limit the number of voters. Then I use Curl to forge IP, so I can easily create multiple IPs to vote.

Paste the following PHP code:

Because the other side is a get Ajax request, I put the Get method here, post method, please modify the

 


The first part is to randomly generate an IP in the country and then use curl to simulate the request.
Because the site limit is an IP limit of 1 hours to cast 30 tickets, so I am here randomly.
If the site is limited to 1 IP 1, then it is best to modify the IP to generate the domestic IP in order, so it can not be duplicated.
Then I'm on, Apache AB, each concurrent 20 votes. Soon the tickets will be brushed up.
So what's the solution to this malicious swipe ticket?
I don't have a good way to defend. But my curl is actually a webservice visit, which is not with a session or cookie, and of course, curl can also emulate a cookie, Then take the Phpsessionid and bring the session.
But for an unknown website, he does not know how to handle it. Therefore, if the existence of a session is determined to effectively resist a batch of brush tickets. But do not prompt when prompted is missing session such text. It is better to give the session an effective period, so that the degree of security will increase ( But if the person who brushes the ticket knows the principle, it doesn't mean that he can be defended.
To add: A lot of code that can get the real IP address of the visitor, this I did not encounter the correct way to get the real IP of the user. If so, please leave a message.
If there is any good defense plan, want to leave a message.


Sometimes if a timeout can cause a script to break, it's best to execute the script every minute with a Crond
The script code is:
#!/bin/shpid= ' Ps-ef |grep localhost/vote.php |grep vote.php | awk ' {print $} '; if [[$pid = =] "]];thenecho" vote is start "; Nohup/usr/bin/ab-n 100000-c http://localhost/vote.php Elseecho "vote.php is running"; fi

This script is every minute to judge the existence of this process is not, if it exists, regardless, does not exist, start the process.
In addition, you can use Nohup to perform in the background.
At the opening crond every minute running up
Crontab-e

Edit Crond Task
* * * * * */www/web/default/controller/script/vote.sh

The first 5 * numbers are executed on behalf of every minute of this script. If not, please refer to cron data
When you start cron
Service Crond Start

Work Gaocheng, peace of mind let him brush it. You can do something else.

Windows system please self-planning tasks, I do not post code here
