使用VC++和WINSOCK编写简单的BBS灌水程序

首先我们来分析，回复一个帖子，究竟向HTTP服务器发送什么数据呢？

我是通过用WPE截取网络数据包的方法来截取分析数据包的，如果有需要WPE的同学可以PM我。

这里就不详细讲WPE了，我在http://bbs.tongji.net/index.php?prog=topic::flat&tid=219030里面回复

了这样一个贴：
标题是：Re:啥时候下雪啊　
回复内容是：下啊下啊
经过截取后，得到这样的数据包：

POST /index.php?prog=topic::reply&tid=219030 HTTP/1.1..Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*..Referer: http://bbs.tongji.net/index.php? prog=topic::flat&tid=219030..Accept-Language: zh-cn..Content-Type: application/x-www-form- urlencoded..Accept-Encoding: gzip, deflate..User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)..Host: bbs.tongji.net..Content-Length: 509..Connection: Keep-Alive..Cache- Control: no-cache..Cookie: CEFS=56a4967e3f0923cc0b9e361d2599290f.... title=Re%3A%C9%B6%CA%B1%BA%F2%CF%C2%D1%A9%B0% A1&cetag=checked&autoParseURL=checked&smiles=checked&showsign=checked&domains=bbs.tongji.net &q=Google+Site+Search&sitesearch=bbs.tongji.net&client=pub- 9549696168596987&forid=1&channel=5833732144&ie=GB2312&oe=GB2312&cof=GALT%3A%23008000%3BGL% 3A1%3BDIV%3A%23336699%3BVLC%3A663399%3BAH%3Acenter%3BBGC%3AFFFFFF%3BLBGC%3A336699%3BALC% 3A0000FF%3BLC%3A0000FF%3BT%3A000000%3BGFNT%3A0000FF%3BGIMP%3A0000FF%3BFORID%3A1%3B&hl=zh- CN&content=%CF%C2%B0%A1%CF%C2%B0%A1&parentid=0

不要给这个数据包吓倒，实际上我们关心的只有几个地方，我都用红字标出了。
tid=219030:表示你回帖的是那个主贴

Cookie: CEFS=56a4967e3f0923cc0b9e361d2599290f....：
COOKIE的CEFS(它应该是标识一个特定COOKIE的32字节字符串)，用户登陆BBS后会返回一个CEFS

title=Re%3A%C9%B6%CA%B1%BA%F2%CF%C2%D1%A9%B0%：
回复帖子的标题，这里的%3A%C9%B6%CA%B1%BA%F2%CF%C2%D1%A9%B0%代表的就是Re:啥时候下雪啊　
同理，content=%CF%C2%B0%A1%CF%C2%B0%A1&parentid=0也是代表发贴内容

在这个数据包中，tid,title,content，我们都可以根据自己的需要随意改，只有cookie不可以，
COOKIE的CEFS是用户登陆论坛后一个特定的标识，在同个用户的连续发贴过程中，它是可以保持不变的，
关键在于我们如何获取这个CEFS，CEFS是用户在登陆论坛的时候，向服务器发送请求，服务器返回的一个

标识字符串，所以在登陆论坛时，我们就要把服务器返回的CEFS记录起来，然后填写到回帖的数据包里面

。

我模拟了一次登陆论坛，同时用WPE截取数据包，截取到这样的数据包：

POST /index.php?prog=user::login HTTP/1.1..Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*..Referer: http://bbs.tongji.net/index.php?..Accept-Language: zh- cn..Content-Type: application/x-www-form-urlencoded..Accept-Encoding: gzip, deflate..User- Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)..Host: bbs.tongji.net..Content- Length: 70..Connection: Keep-Alive..Cache-Control: no-cache..Cookie: ce_tjbbspassword=; ce_tjbbsuserid=....username=阿东&password=XXXXXXXXX &show=1&image.x=24&image.y=13

向服务器发送该数据包后，如果成功登陆，服务器返回数据包

HTTP/1.1 200 OK..Date: Thu, 09 Dec 2004 13:18:18 GMT..Server: Apache/1.3.29 (Unix) mod_jk/1.2.5 PHP/4.3.4..X-Powered-By: PHP/4.3.4..Set-Cookie: CEFS=4da4e5e68db9b4750441afcb818b2c0f; path=/..Expires: Thu, 19 Nov 1981 08:52:00 GMT..Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0..Pragma: no-cache..Content-Encoding: gzip..Keep-Alive: timeout=15, max=87..Connection: Keep- Alive..Transfer-Encoding: chunked..Content-Type: text/html....212..........x..SAk.@.....G.D.M....L<.".....$.638...t..od..Y (h.PW......n.<..C.......nve[....7.........Dx.B.0.........>...~.t.'G..? <......d.#`Z...`.......d.$..

到目前为止，关于数据包的东西已经基本足够你写一个灌水程序了

你只需要做的就是用SOCKET连接同济论坛服务器的HTTP端口，登陆，记录CEFS，利用该CEFS，每隔60秒向

该端口发送数据包～～n_n~

以下为灌水程序的片断(经过一些修改)：

char hdrreg[]= "POST /index.php?prog=user::login HTTP/1.1/r/n" "Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*/r/n" "Referer: http://bbs.tongji.net/index.php?/r/n" "Accept-Language: zh-cn/r/n" "Content-Type: application/x-www-form-urlencoded/r/n" "Accept-Encoding: gzip, deflate/r/n" "User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0; iOpus-I-M)/r/n" "Host: bbs.tongji.net/r/n" "Content-Length: %d/r/n" "Connection: Keep-Alive/r/n" "Cache-Control: no_cache/r/n" "Cookie: ce_tjbbsuserid; ce_tjbbspassword;/r/n" "/r/n"; char regcontent[]="username=%s&password=%s&show=1&image.x=14&image.y=8"; char hdrreply[]= "POST /index.php?prog=topic::reply&tid=%s HTTP/1.1/r/n" "Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*/r/n" "Referer: http://bbs.tongji.net/index.php?prog=topic::flat&tid=%s&page=end/r/n" "Accept-Language: zh-cn/r/n" "Content-Type: application/x-www-form-urlencoded/r/n" "Accept-Encoding: gzip, deflate/r/n" "User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0; iOpus-I-M)/r/n" "Host: bbs.tongji.net/r/n" "Content-Length: %d/r/n" "Connection: Keep-Alive/r/n" "Cache-Control: no_cache/r/n" "Cookie: CEFS=%s/r/n" "/r/n"; char rlytitle[]= "title=%s&cetag=checked&autoParseURL=checked&smiles=checked&showsign=checked&content=% s&parentid=0";

//登陆： char buf_h[1024]; char buf_c[1024]; char *p; char serverIP[]="61.129.64.163"; u_short serverPort=u_short(80); destAddr = inet_addr(serverIP); memcpy(&destSockAddr.sin_addr, &destAddr, sizeof(destAddr)); destSockAddr.sin_port = htons(serverPort); destSockAddr.sin_family = AF_INET; destSocket = socket(AF_INET, SOCK_STREAM, 0); if (destSocket == INVALID_SOCKET) { //error return false; } status = connect(destSocket, (LPSOCKADDR)&destSockAddr, sizeof(destSockAddr)); if (status == SOCKET_ERROR) { //error return false; } wsprintf(buf_c,regcontent,"阿东","密码****"); wsprintf(buf_h,hdrreg,char(strlen(buf_c))); strcat(buf_h,buf_c); strcat(buf_h,&charend); numsnt = send(destSocket, buf_h, strlen(buf_h), 0); if (numsnt != (int)strlen(buf_h)) { //error return false; } numrcv=recv(destSocket, buf_h,strlen(buf_h) , 0); if ((numrcv == 0) || (numrcv == SOCKET_ERROR)) { //error return false; } //省略部分代码 p=buf_h; p+=144; memcpy(cefs,p,4); if(cefs[0]!='C') { //error return false; } p=buf_h; p+=149; memcpy(cefs,p,32); cefs[32]='{post.content}';

//发贴 char buf_h[1024]; char buf_c[1024]; //...省略部分代码 char cbuf[50]; char serverIP[]="61.129.64.163"; u_short serverPort=u_short(80); int pid; CString strpid; while(1) { destAddr = inet_addr(serverIP); memcpy(&destSockAddr.sin_addr, &destAddr, sizeof(destAddr)); destSockAddr.sin_port = htons(serverPort); destSockAddr.sin_family = AF_INET; destSocket = socket(AF_INET, SOCK_STREAM, 0); if (destSocket == INVALID_SOCKET) { //error return false; } status = connect(destSocket, (LPSOCKADDR)&destSockAddr, sizeof (destSockAddr)); if (status == SOCKET_ERROR) { //error return false; } ////////////////////////// wsprintf(buf_c,rlytitle,"大家好","路过，再水一下，莫怪"); int len=strlen(buf_c); //随机产生要灌水的帖子PID pid=rand()%1000; strpid.Format("%d",218000+pid); wsprintf(buf_h,hdrreply,strpid,strpid,unsigned char(len),cefs); strcat(buf_h,buf_c); //省略部分代码 numsnt = send(destSocket, buf_h, strlen(buf_h), 0); if (numsnt != (int)strlen(buf_h)) { //error break;; } numrcv=recv(destSocket, buf_h,strlen(buf_h) , 0); if ((numrcv == 0) || (numrcv == SOCKET_ERROR)) { //error break; } //省略部分代码 closesocket(destSocket); for (int i=0;i<60;i++) { Sleep(1000); if (WaitForSingleObject(hEnd,0)!=WAIT_TIMEOUT) { return 0; } } }