Home >Web Front-end >HTML Tutorial >HTML implements a cheating scheme for voting websites that restricts IP addresses

HTML implements a cheating scheme for voting websites that restricts IP addresses

高洛峰
高洛峰Original
2017-02-25 13:48:231509browse

For the voting website cheating scheme that limits IP, this method takes advantage of some loopholes in the voting website to monitor remote IP. There is no real forged IP address. HTTP is the seventh layer above TCP, which is impossible. A friend who forged a real IP address recently needed a voting software. I recently researched this voting website. This voting website has a verification code and each IP is limited to one vote. It seems to be a standard voting website. I studied the verification code first:

The verification code of this voting website is very simple at first, with four standard numbers in standard positions, which is easy to identify. Later, it changed to the point where the number of digits was not necessarily certain, and there were also letters, and the positions were not necessarily up and down. Now the recognition of the verification code was not only difficult for software, but also difficult for manual identification. There is no way out in the mountains and rivers, but there is another village with dark willows and bright flowers. Please see the next paragraph for the breakdown!

After my continuous analysis and research, I found that there was a loophole in his verification code check. I discovered this loophole. This verification code has become useless. There is no need to identify or verify the code. I bypassed it directly because he only The voting options page sets the js code that checks whether the verification code is empty. The js code is run on the client. The effect of this verification is zero. Generally, this kind of JS verification is only for the convenience of users. As a voting website, it only uses this A verification method that does not check whether the verification code is empty on the voting processing dynamic page is really not flattering and brings great hidden dangers to the security of the website.

Regarding the verification code issue, I have learned about the cracking method. As long as the verification code file is not directly accessed when voting, the verification code will be empty. Since its dynamic page does not check whether the verification code is empty , so as long as the verification code parameter is empty when posting.

Then another problem is that the voting website checks the IP and restricts an IP to only allow one vote. This can only be achieved by using a proxy, or by constantly disconnecting and dialing up. I really couldn't think of any other good way. Later, this friend found a program that can vote on this website very quickly. I was very curious about the IP solution of this program, so I asked my friend to analyze it.

First of all, I studied this voting software by capturing packets. After I was ready, I opened the voting program and "Refreshed! Prompt software conflict!" Haha, no, then I will turn off some After closing all the programs, only one packet capture program was left and it still prompted a conflict. Haha, it turns out that this program actually knew that someone might analyze its software. It even traversed the process names to check whether there were any suspicious programs. If there was a program, it would analyze it. Or if the packet is captured, it will refuse to run. Haha, currently I know that the software he restricts includes easy language programming software and WSockExpert_Cn packet capture software. Haha, I turned off Yi Language, changed the name of WSockExpert_Cn, and successfully passed the software's own security test and ran successfully.

The following is the data packet that he voted for during my use:

POST /vote/view.php?sid=33act=vote HTTP/1.1   
Accept: */*   
Referer: http://www.qdnfy.gov.cn/vote/vote.php   
Content-Type: application/x-www-form-urlencoded   
X-Forwarded-For: 218.20.218.200   
CLIENT_IP: 218.20.218.200   
VIA: 218.20.218.200   
REMOTE_ADDR: 218.20.218.200   
Accept-Language: zh-cn   
Accept-Encoding: text   
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506)   
Host: www.qdnfy.gov.cn   
Cookie: PHPSESSID=pldjnb6scereodjm5niqb9q990  
Content-Length: 49   
Connection: Close

-Forwarded-For Found this http header parameter followed by IP, haha, this The parameters must have some background. It turns out that I never knew it. Haha, let’s search it on Baidu.

The following is an explanatory article from Baidu. It explains it very well. Please take a look.
Forging the X-Forwarded-For field in the HTTP header to forge an IP Baidu studied the principle of X-Forwarded-For. This thing has been out for a long time. This is the first time I have heard of X-Forwarded-For: abbreviation XFF header, which represents the client, that is, the real IP of the HTTP requester. This item will only be added when passing the HTTP proxy or load balancing server.

It is not the standard request header information defined in RFC. A detailed introduction to this item can be found in the Squid cache proxy server development documentation.

The standard format is as follows:

X-Forwarded-For: client1, proxy1, proxy2

As can be seen from the standard format, X-Forwarded- There can be multiple For header information, separated by commas. The first item is the real client IP, and the rest are the proxy or load balancing IP addresses that have passed through. Several will appear after passing several.

wiki’s X-Forwarded-For explanation http://en.wikipedia.org/wiki/X-Forwarded-For analysis:

Since we want to forge the client IP, let’s first Let’s take a look at how the client IP address is generally obtained (take PHP as an example). This code was searched on Baidu. Most websites may use this code.

$user_IP = ($_SERVER["HTTP_VIA"]) ? //是否使用了代理    
$_SERVER["HTTP_X_FORWARDED_FOR"] : $_SERVER["REMOTE_ADDR"];    
//获取失败则从REMOTE_ADDR获取   
$user_IP = ($user_IP) ? $user_IP : $_SERVER["REMOTE_ADDR"];    
?>

First, determine whether the HTTP_VIA header exists. The HTTP_VIA header represents whether a proxy server is used. If not, obtain the client's IP address from the REMOTE_ADDR field. If so, obtain the client's IP address from the X-Forwarded field. -For getting the client IP, I guess many programmers come from Baidu code. The asp is similar.

Then let’s test it.

 

Server code:

//输出HTTP_X_FORWARDED_FOR    
echo "HTTP_X_FORWARDED_FOR:".$_SERVER["HTTP_X_FORWARDED_FOR"];    
//输出REMOTE_ADDR echo "REMOTE_ADDR:". $_SERVER["REMOTE_ADDR"];    
?>

You can see that the obtained client IP address is different. REMOTE_ADDR is the real address.

So if a website determines the client IP address from X-Forwarded-For, then we can use this logical loophole to swipe votes.

For more articles related to HTML implementation of voting website cheating scheme that restricts IP addresses, please pay attention to the PHP Chinese website!

Statement:
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn