Regarding the voting website cheating scheme that limits IP, this method takes advantage of some loopholes in voting websites to monitor remote IPs. There is no real forged IP address. HTTP is the seventh layer above TCP, which is impossible. A friend who forged a real IP address recently needed a voting software. I recently researched this voting website. This voting website has a verification code and each IP is limited to one vote. It seems to be a standard voting website. I studied the verification code first:
The verification code of this voting website is very simple at first, with standard four numbers in standard positions, which is easy to identify. Later, it changed to the point where the digits were not necessarily the same, but there were also letters, and the positions were not necessarily up and down. Now the recognition of the verification code was not only difficult for software, but also difficult for manual recognition. There is no way out in the mountains and rivers, but there is another village with dark willows and bright flowers. Please see the next paragraph for the breakdown!
After my continuous analysis and research, I discovered that there was a loophole in his verification code check. I discovered this loophole. This verification code has become useless. There is no need to identify or verify the code. I bypassed it directly because he was only on the voting options page. Set the js code that checks whether the verification code is empty. The js code is run on the client. The effect of this verification is zero. Generally, this kind of JS verification is only for the convenience of users. As a voting website, only this kind of verification is used. In this way, the voting processing dynamic page does not check whether the verification code is empty, which is really not flattering and brings great hidden dangers to the security of the website.
Regarding the verification code issue, I have learned about the cracking method. As long as the verification code file is not directly accessed when voting, the verification code will be empty. Since its dynamic page does not check whether the verification code is empty, so as long as Just leave the verification code parameter empty when posting.
Another problem is that the voting website checks the IP and restricts an IP to only allow one vote. This can only be achieved by using a proxy, or by constantly disconnecting and dialing up. I really couldn't think of any other good way. Later, this friend found a program that can vote on this website very quickly. I was very curious about the IP solution of this program, so I asked my friend to analyze it.
First of all, I studied this voting software by capturing packets. After I was ready, I opened the voting program and said, "Refresh! Prompt for software conflict!" Haha, no, then I will close some programs. After shutting it down, only one packet capture program was left and it still prompted a conflict. Haha, it turned out that this program actually knew that someone might analyze its software, and it even traversed the process name to check whether there were any suspicious programs. If there was a program to analyze it or capture packets, , he just refused to run. Haha, currently I know that the software he restricts includes easy language programming software and WSockExpert_Cn packet capture software. Haha, I turned off Yi Language, changed the name of WSockExpert_Cn, and successfully passed the software's own security test and ran successfully.
The following is the data package that he voted for during my use:
-Forwarded-For Found this http header parameter followed by IP, haha, this parameter must have some background, it turns out that I never knew it, haha, hurry up and search it on Baidu.
The following is an explanatory article from Baidu. It explains it very well. Please take a look.
Forging the X-Forwarded-For field in the HTTP header to forge an IP Baidu studied the principle of X-Forwarded-For. This thing has been out for a long time. This is the first time I heard of X-Forwarded-For: abbreviation XFF header, which represents the client, that is, the real IP of the HTTP requester. This item will only be added when passing the HTTP proxy or load balancing server.
It is not the standard request header information defined in RFC. A detailed introduction to this item can be found in the Squid cache proxy server development documentation.
The standard format is as follows:
X-Forwarded-For: client1, proxy1, proxy2
As can be seen from the standard format, there can be multiple X-Forwarded-For headers, separated by commas. The first item is the real client IP, and the rest are the proxy or load balancing IPs that have passed through. After passing several addresses, several will appear.
wiki’s X-Forwarded-For explanation http://en.wikipedia.org/wiki/X-Forwarded-For analysis:
Since we want to forge the client IP, let’s first look at how to obtain the client IP address (taking PHP as an example). This code was searched on Baidu. Most websites may use this code code.
First, determine whether the HTTP_VIA header exists. The HTTP_VIA header represents whether a proxy server is used. If not, get the client's IP address from the REMOTE_ADDR field. If it does, get the client IP from X-Forwarded-For. I estimate that there are many programs. The code of the members is all from Baidu. The asp is similar.
Then let’s test it.
Server code:
You can see that the obtained client IP addresses are different. REMOTE_ADDR is the real address.
So if a website determines the client IP address from X-Forwarded-For, then we can use this logical loophole to increase votes.
![[Web front-end] Node.js quick start](https://img.php.cn/upload/course/000/000/067/662b5d34ba7c0227.png)
