Web Front-endHTML TutorialHTML implements a cheating scheme for voting websites that restricts IP addressesHTML implements a cheating scheme for voting websites that restricts IP addresses
For the voting website cheating scheme that limits IP, this method takes advantage of some loopholes in the voting website to monitor remote IP. There is no real forged IP address. HTTP is the seventh layer above TCP, which is impossible. A friend who forged a real IP address recently needed a voting software. I recently researched this voting website. This voting website has a verification code and each IP is limited to one vote. It seems to be a standard voting website. I studied the verification code first:
The verification code of this voting website is very simple at first, with four standard numbers in standard positions, which is easy to identify. Later, it changed to the point where the number of digits was not necessarily certain, and there were also letters, and the positions were not necessarily up and down. Now the recognition of the verification code was not only difficult for software, but also difficult for manual identification. There is no way out in the mountains and rivers, but there is another village with dark willows and bright flowers. Please see the next paragraph for the breakdown!
After my continuous analysis and research, I found that there was a loophole in his verification code check. I discovered this loophole. This verification code has become useless. There is no need to identify or verify the code. I bypassed it directly because he only The voting options page sets the js code that checks whether the verification code is empty. The js code is run on the client. The effect of this verification is zero. Generally, this kind of JS verification is only for the convenience of users. As a voting website, it only uses this A verification method that does not check whether the verification code is empty on the voting processing dynamic page is really not flattering and brings great hidden dangers to the security of the website.
Regarding the verification code issue, I have learned about the cracking method. As long as the verification code file is not directly accessed when voting, the verification code will be empty. Since its dynamic page does not check whether the verification code is empty , so as long as the verification code parameter is empty when posting.
Then another problem is that the voting website checks the IP and restricts an IP to only allow one vote. This can only be achieved by using a proxy, or by constantly disconnecting and dialing up. I really couldn't think of any other good way. Later, this friend found a program that can vote on this website very quickly. I was very curious about the IP solution of this program, so I asked my friend to analyze it.
First of all, I studied this voting software by capturing packets. After I was ready, I opened the voting program and "Refreshed! Prompt software conflict!" Haha, no, then I will turn off some After closing all the programs, only one packet capture program was left and it still prompted a conflict. Haha, it turns out that this program actually knew that someone might analyze its software. It even traversed the process names to check whether there were any suspicious programs. If there was a program, it would analyze it. Or if the packet is captured, it will refuse to run. Haha, currently I know that the software he restricts includes easy language programming software and WSockExpert_Cn packet capture software. Haha, I turned off Yi Language, changed the name of WSockExpert_Cn, and successfully passed the software's own security test and ran successfully.
The following is the data packet that he voted for during my use:
POST /vote/view.php?sid=33act=vote HTTP/1.1 Accept: */* Referer: http://www.qdnfy.gov.cn/vote/vote.php Content-Type: application/x-www-form-urlencoded X-Forwarded-For: 218.20.218.200 CLIENT_IP: 218.20.218.200 VIA: 218.20.218.200 REMOTE_ADDR: 218.20.218.200 Accept-Language: zh-cn Accept-Encoding: text User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506) Host: www.qdnfy.gov.cn Cookie: PHPSESSID=pldjnb6scereodjm5niqb9q990 Content-Length: 49 Connection: Close
-Forwarded-For Found this http header parameter followed by IP, haha, this The parameters must have some background. It turns out that I never knew it. Haha, let’s search it on Baidu.
The following is an explanatory article from Baidu. It explains it very well. Please take a look.
Forging the X-Forwarded-For field in the HTTP header to forge an IP Baidu studied the principle of X-Forwarded-For. This thing has been out for a long time. This is the first time I have heard of X-Forwarded-For: abbreviation XFF header, which represents the client, that is, the real IP of the HTTP requester. This item will only be added when passing the HTTP proxy or load balancing server.
It is not the standard request header information defined in RFC. A detailed introduction to this item can be found in the Squid cache proxy server development documentation.
The standard format is as follows:
X-Forwarded-For: client1, proxy1, proxy2 As can be seen from the standard format, X-Forwarded- There can be multiple For header information, separated by commas. The first item is the real client IP, and the rest are the proxy or load balancing IP addresses that have passed through. Several will appear after passing several. wiki’s X-Forwarded-For explanation http://en.wikipedia.org/wiki/X-Forwarded-For analysis: Since we want to forge the client IP, let’s first Let’s take a look at how the client IP address is generally obtained (take PHP as an example). This code was searched on Baidu. Most websites may use this code.$user_IP = ($_SERVER["HTTP_VIA"]) ? //是否使用了代理 $_SERVER["HTTP_X_FORWARDED_FOR"] : $_SERVER["REMOTE_ADDR"]; //获取失败则从REMOTE_ADDR获取 $user_IP = ($user_IP) ? $user_IP : $_SERVER["REMOTE_ADDR"]; ?>First, determine whether the HTTP_VIA header exists. The HTTP_VIA header represents whether a proxy server is used. If not, obtain the client's IP address from the REMOTE_ADDR field. If so, obtain the client's IP address from the X-Forwarded field. -For getting the client IP, I guess many programmers come from Baidu code. The asp is similar. Then let’s test it.
Server code:
//输出HTTP_X_FORWARDED_FOR echo "HTTP_X_FORWARDED_FOR:".$_SERVER["HTTP_X_FORWARDED_FOR"]; //输出REMOTE_ADDR echo "REMOTE_ADDR:". $_SERVER["REMOTE_ADDR"]; ?>
So if a website determines the client IP address from X-Forwarded-For, then we can use this logical loophole to swipe votes.
For more articles related to HTML implementation of voting website cheating scheme that restricts IP addresses, please pay attention to the PHP Chinese website!
The Future of HTML, CSS, and JavaScript: Web Development TrendsApr 19, 2025 am 12:02 AMThe future trends of HTML are semantics and web components, the future trends of CSS are CSS-in-JS and CSSHoudini, and the future trends of JavaScript are WebAssembly and Serverless. 1. HTML semantics improve accessibility and SEO effects, and Web components improve development efficiency, but attention should be paid to browser compatibility. 2. CSS-in-JS enhances style management flexibility but may increase file size. CSSHoudini allows direct operation of CSS rendering. 3.WebAssembly optimizes browser application performance but has a steep learning curve, and Serverless simplifies development but requires optimization of cold start problems.
HTML: The Structure, CSS: The Style, JavaScript: The BehaviorApr 18, 2025 am 12:09 AMThe roles of HTML, CSS and JavaScript in web development are: 1. HTML defines the web page structure, 2. CSS controls the web page style, and 3. JavaScript adds dynamic behavior. Together, they build the framework, aesthetics and interactivity of modern websites.
The Future of HTML: Evolution and Trends in Web DesignApr 17, 2025 am 12:12 AMThe future of HTML is full of infinite possibilities. 1) New features and standards will include more semantic tags and the popularity of WebComponents. 2) The web design trend will continue to develop towards responsive and accessible design. 3) Performance optimization will improve the user experience through responsive image loading and lazy loading technologies.
HTML vs. CSS vs. JavaScript: A Comparative OverviewApr 16, 2025 am 12:04 AMThe roles of HTML, CSS and JavaScript in web development are: HTML is responsible for content structure, CSS is responsible for style, and JavaScript is responsible for dynamic behavior. 1. HTML defines the web page structure and content through tags to ensure semantics. 2. CSS controls the web page style through selectors and attributes to make it beautiful and easy to read. 3. JavaScript controls web page behavior through scripts to achieve dynamic and interactive functions.
HTML: Is It a Programming Language or Something Else?Apr 15, 2025 am 12:13 AMHTMLisnotaprogramminglanguage;itisamarkuplanguage.1)HTMLstructuresandformatswebcontentusingtags.2)ItworkswithCSSforstylingandJavaScriptforinteractivity,enhancingwebdevelopment.
HTML: Building the Structure of Web PagesApr 14, 2025 am 12:14 AMHTML is the cornerstone of building web page structure. 1. HTML defines the content structure and semantics, and uses, etc. tags. 2. Provide semantic markers, such as, etc., to improve SEO effect. 3. To realize user interaction through tags, pay attention to form verification. 4. Use advanced elements such as, combined with JavaScript to achieve dynamic effects. 5. Common errors include unclosed labels and unquoted attribute values, and verification tools are required. 6. Optimization strategies include reducing HTTP requests, compressing HTML, using semantic tags, etc.
From Text to Websites: The Power of HTMLApr 13, 2025 am 12:07 AMHTML is a language used to build web pages, defining web page structure and content through tags and attributes. 1) HTML organizes document structure through tags, such as,. 2) The browser parses HTML to build the DOM and renders the web page. 3) New features of HTML5, such as, enhance multimedia functions. 4) Common errors include unclosed labels and unquoted attribute values. 5) Optimization suggestions include using semantic tags and reducing file size.
Understanding HTML, CSS, and JavaScript: A Beginner's GuideApr 12, 2025 am 12:02 AMWebdevelopmentreliesonHTML,CSS,andJavaScript:1)HTMLstructurescontent,2)CSSstylesit,and3)JavaScriptaddsinteractivity,formingthebasisofmodernwebexperiences.
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
Video Face Swap
Swap faces in any video effortlessly with our completely free AI face swap tool!
Hot Article
Hot Tools
SublimeText3 Linux new version
SublimeText3 Linux latest version
Dreamweaver Mac version
Visual web development tools
ZendStudio 13.5.1 Mac
Powerful PHP integrated development environment
SecLists
SecLists is the ultimate security tester's companion. It is a collection of various types of lists that are frequently used during security assessments, all in one place. SecLists helps make security testing more efficient and productive by conveniently providing all the lists a security tester might need. List types include usernames, passwords, URLs, fuzzing payloads, sensitive data patterns, web shells, and more. The tester can simply pull this repository onto a new test machine and he will have access to every type of list he needs.
SublimeText3 Mac version
God-level code editing software (SublimeText3)
