let's talk about the Verification Code cracking.
when we pick up and crack the verification code, the chews are sure to shake their heads and think it's something the graphics and algorithm experts are studying.
however, the verification code used by the blogger can be easily cracked. Website hosting ?". It's strange. Why is it An ASPX page! Don't worry. Open a browser and press SHIFT + F2 to call up httpwatch (for a third-party IE Plug-in, please install it yourself .), Click urgent record to open monitoring. Paste the obtained Verification Code address into the address bar and press enter to access it. The following are some returned results captured by httpwatch:
HTTP/1.1 200 OK
cache-control: Private
Content-Type: image/JPEG; charset = UTF-8
server: Microsoft-IIS/7.0
X-ASPnet-version: 2.0.50727
set-COOKIE: 1945.47704561149 = idnh6; path =/
X-powered-by: Asp. net
date: sat, 19 Sep 2009 14:28:58 GMT
Content-Length: 8697
Please note that this line "Set-COOKIE: 1945.47704561149 = idnh6; path =/"and then check the display in IE
As shown in
you should understand what is going on. Verifycode. the task of aspx is very simple. A group of letters such as "idnh6" are generated at will and then output to the customer's image. Then, the group of letters are plaintext is saved in the cookie, so that the user can read from the cookie and compare it with the results submitted by the user when submitting the request.
to crack a request, you only need to forge a false cookie value in the HTTP header when submitting a POST request. As long as the verification program confirms that the verification code entered by the user is the same as the one in the cookie (which can be forged), the verification program is allowed.
Let's talk about the second question: "malicious users can use proxy to change IP addresses to get rid of the author's restrictions ".
The so-called proxy to change the IP address for most Asp.net websites, in fact, do not need to go to the proxy to achieve IP spoofing.
First, let's take a look at the implementation of a widely spread online app to get users' real IP addresses.Code
# Region
/// <Summary>
/// Obtain the real IP address of the user
/// </Summary>
/// <Returns> returns the user's real IP address </returns>
Public static string getuserrealrip ()
{
String user_ip = "";
If (system. Web. httpcontext. Current. Request. servervariables ["http_via"]! = NULL)
{
User_ip = system. Web. httpcontext. Current. Request. servervariables ["http_x_forwarded_for"]. tostring ();
}
Else
{
User_ip = system. Web. httpcontext. Current. Request. servervariables ["remote_addr"]. tostring ();
}
Return user_ip;
}
# Endregion
The following shows how to forge a false IP address.
Not much introduction, go directly to the code
Customers who make fake IP addresses:
Getip. aspx
Code
}
# Region Obtain the real IP address of a user
/// <Summary>
/// Obtain the real IP address of a user
/// </Summary>
/// <Returns> Returns the user's real IP address. </Returns>
Public Static String Getuserrealrip ()
{
String User_ip = "" ;
If (System. Web. httpcontext. Current. Request. servervariables [ " Http_via " ] ! = Null )
{
User_ip = System. Web. httpcontext. Current. Request. servervariables [ " Http_x_forwarded_for " ]. Tostring ();
}
Else
{
User_ip = System. Web. httpcontext. Current. Request. servervariables [ " Remote_addr " ]. Tostring ();
}
Return User_ip;
}
# Endregion
The running result is as follows:
If you want to avoid the defect of this address acquisition mechanism, please express your own opinions.
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
