Use HTML to restrict ip addresses to vote for website cheating solution _ HTML/Xhtml _ web page creation

Many voting websites cannot vote repeatedly, mainly by limiting ip addresses. One ip Address can only vote once. Let's take a look at the voting website cheating solution that uses HTML to restrict ip addresses, if you need a friend, you can refer to the voting website cheating solution on restricted ip addresses. This method uses some vulnerabilities of the voting website to monitor remote ip addresses, and there is no real forged ip address, http is the seventh layer of tcp. It is impossible to forge a real IP address. Recently, a friend needs a voting software. I recently studied this website, which has a verification code, each IP address is limited to one vote and looks like a standard voting website. I first studied the verification code:

The verification code of this voting website is easy to start with. The four numbers in the standard location are well recognized. After that, the number of digits is not necessarily abnormal, and there are still letters, and the location is not necessarily up or down. The verification code is not only difficult to identify by software, but even hard to recognize by manual. There is no way to break down the mountains and waters!

I found a vulnerability in his verification code check through continuous analysis and research, and found this vulnerability. This verification code is essentially a false one. It does not need to be identified, and no verification code is required, because he only sets the js Code to check whether the verification code is empty on the voting option page, and the js Code runs on the client, the verification effect is zero, in general, JS verification is only for the convenience of users. As a voting website, only this verification method is used. On the dynamic page of voting processing, it is not flattering to check whether the verification code is empty, it brings great potential risks to the security of websites.

I have learned how to crack the verification code. As long as the verification code file is not directly accessed during voting, the verification code is blank, since his dynamic page does not check whether the verification code is empty, you only need to leave the verification code parameter blank during post.

Another problem is that the voting website checks the IP address and limits an IP address to only allow voting once. This can be achieved only by using a proxy or through network disconnection and dialing. I really can't think of other good methods. Later, this friend found a program that can quickly vote on this website, i'm curious about the IP address solution of this program and ask my friends to analyze it.

First, I took the packet capture method for this voting software for research. After preparing, I opened the voting program and "click it! Prompt software conflict !" Dizzy, no, so I will turn off some programs and leave only one package capture program after it is closed, prompting for conflicts. Haha, the program actually knows that someone may analyze his software, the system traverses the process name and checks whether a suspicious program exists. If a program analyzes or captures packets, the system rejects the program. Well, I know that the software he restricts includes easy language programming software and WSockExpert_Cn packet capture software. Hehe turned off the easy language and changed the WSockExpert_Cn name to pass the software's own security detection and run successfully.

Here are the data packets that I voted for during use:

Copy XML/HTML Code to clipboard

1. POST/vote/view. php? Sid = 33act = vote HTTP/1.1
2. Accept :*/*
3. Referer: http://www.qdnfy.gov.cn/vote/vote.php
4. Content-Type: application/x-www-form-urlencoded
5. X-Forwarded-For: 218.20.218.200
6. CLIENT_IP: 218.415218.200
7. VIA: 218.425218.200
8. REMOTE_ADDR: 218.426218.200
9. Accept-Language: zh-cn
10. Accept-Encoding: text
11. User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Server Load balancer;. net clr 2.0.50727;. net clr 3.0.04506)
12. Host: www.qdnfy.gov.cn
13. Cookie: PHPSESSID = pldjnb6scereodjm5niqb9q990
14. Content-Length: 49
15. Connection: Close

-Forwarded-For found that the http header parameter is followed by an IP address. Haha, this parameter must have a header. I never knew it. Haha, hurry up and Baidu.

The following is a descriptive article from Baidu, which is well spoken. Let's take a look.
The X-Forwarded-For field in the HTTP header is forged to forge the IP address. Baidu uses the X-Forwarded-For principle, which takes a long time. I also heard For the first time that X-Forwarded-For: XFF header stands For the client, that is, the real IP address of the HTTP request end, this option is added only when the HTTP proxy or Server Load balancer is passed.

It is not the standard request header information defined in RFC. You can find this item in the squid cache proxy server development documentation.

　　The standard format is as follows:

X-Forwarded-For: client1, proxy1, proxy2

From the standard format, we can see that the X-Forwarded-For header information can be multiple, separated by commas (,). The first item is the real client ip address, the rest is the IP address of the proxy or Server Load balancer that has been used before. Several IP addresses will appear after several IP addresses.

Interpretation of X-Forwarded-For in wiki: http://en.wikipedia.org/wiki/x-forwarded-foranalysis:

Since the Client IP address is to be forged, Let's first look at how to obtain the Client IP address (taking php as an example). This code is found in Baidu. This code may be used by most websites.

Copy XML/HTML Code to clipboard

1. $ User_IP = ($ _ SERVER ["HTTP_VIA"])? // Whether a proxy is used
2. $ _ SERVER ["HTTP_X_FORWARDED_FOR"]: $ _ SERVER ["REMOTE_ADDR"];
3. // If the retrieval fails, it will be obtained from REMOTE_ADDR.
4. $ User_IP = ($ user_IP )? $ User_IP: $ _ SERVER ["REMOTE_ADDR"];
5. ?>

First, determine whether the HTTP_VIA header exists. The HTTP_VIA header indicates whether the proxy server is used. if not, obtain the Client IP address from the REMOTE_ADDR field. If yes, obtain the Client IP address from X-Forwarded-For. I guess many programmers use Baidu code. asp is similar.

Then let's test it.

　　Server code:

Copy XML/HTML Code to clipboard

1. // Output HTTP_X_FORWARDED_FOR
2. Echo "HTTP_X_FORWARDED_FOR:". $ _ SERVER ["HTTP_X_FORWARDED_FOR"];
3. // Output REMOTE_ADDR echo "REMOTE_ADDR:". $ _ SERVER ["REMOTE_ADDR"];
4. ?>

The obtained Client IP address is different. REMOTE_ADDR is the real IP address.

Therefore, if a website uses X-Forwarded-For to determine the Client IP address, we can use this logic vulnerability to issue a ticket.