Gently bypass your verification code and conduct an attack-vulnerability study
Source: Internet
Author: User
The snow is the early years of the famous hacker artifact "knife light snow Shadow" one of its function is to break the form of violence, then very popular. But then there is the verification code this dongdong, almost to the back of the snow to a dead-end. But is it really a dead end? This article gives you the answer.
For the verification code mechanism, online attack methods are using mathematical methods to analyze the picture, of course, we can not always follow other people's ideas to go, so many no creative oh.
Think of the code of thought, that is, each landing to access a script file, the file generated with the code of the picture and write the value into the session, the submission of the verification of the script will determine the submission of the verification code is consistent with the session.
The problem arises, in the login password error, we do not access to generate validation pictures of the file, then if the session of the verification code is not emptied, at this time the verification code is the same as last time, the hard construction of the anti-violence to the form of a fake.
POWEREASY2005 Administrator Landing page is a good example, as long as we identify the first access to the authentication code, the session cookie value to continue to commit can be achieved brute force. The figure is to use the result of the snow-tracing (the snow back to the lake ^_^).
Similar situation and PJBLOG2 login verification, other programs did not look, physical life, not fun.
The use of verification code loopholes can also be implemented DOS (and brush voting, etc., hehe), such as this CSDN blog system, the answer to the verification code there is this problem, so you can grab the bag to continue to submit (hey, first say, don't take me to test).
The network BBS did a good job, after the password error in the session of the Verification code value is empty and every time the verification code check is empty. So if you want to fix this loophole, refer to the Move network.
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.