微慑信息网

[ASP] ASP与验证码

如今你要申请一个QQ号,需要输入很复杂的验证码:验证码由若干个汉字组成,还加上了花哩唬哨的背景,使得有些汉字实在难以辨认。腾讯这么做,是为了防止有人利用软件批量获取QQ号码—-每次提交都要输入随机生成的验证码,这是软件难以做到的。
最初的验证码,只是几个随机生成的数字。但是道高一尺魔高一丈,很快就有能识别数字的软件了,“收藏家”们利用这种软件批量获取帐号,或是探测密码,因为软件可以不知疲倦地不断submit。于是,出现了图片形式的验证码,还要加上无规则的背景,既然人眼都难以分辨,想来软件分辨起来就有一定的难度。但是腾讯开始采用汉字图片做验证码,是不是意味着破解验证码的技术又有了新进展,带背景的数字或字母图片形式的验证码,也可以被软件分辨了?
且不管那么多,我们来谈谈ASP生成验证码的办法吧。
还是从最简单的例子说起,来了解一下验证码的基本思路。
第一个例子,在显示表单的同时,生成一个4位的随机数做为验证码,利用session传递该验证码,在数据处理页面,比对用户输入的验证码与session中的值是否一致。顺便说一句,我曾见过有糊涂的仁兄利用hidden类型的input控件传递验证码,孰不知,通过查看页面源代码,该数据是暴露无遗的。还有password型的input中的数据也一样。
<% '********************************** '* NAME:post.asp * '* CODE:netops(www.netop.cc) * '* USE:验证码示例一:数字型 * '* TIME:2005.7 * '********************************** Response.Buffer = true Dim CheckCode Response.Write ""
'======***表单提交后:***======
if Request.ServerVariables("REQUEST_METHOD")="POST" then
Dim founderr,callform,msg
founderr = false '是否有错误发生
callform = false '是否调用表单
msg = "" '提示信息
'==============验证码验证开始===========
dim sessionCode
sessionCode = session("chkCode")
session("chkCode") = ""
CheckCode = trim(Request.Form("chkcode"))
if CheckCode = "" then
msg = msg + "

  • 请填写验证码"
    founderr = true
    callform = true
    elseif cstr(CheckCode) <> cstr(sessionCode) then
    msg = msg + "

  • 验证码不正确"
    founderr = true
    callform = true
    end if
    '==================验证码验证结束============
    if founderr = true then
    call message("500")
    if callform = true then call myform()
    else
    msg = "

  • 操作成功!"
    call message("500")
    end if
    '======***页面初始化(表单提交前)***======
    else
    CheckCode = ""
    call myform()
    end if
    Response.Write ""
    REM 子过程,定义表单
    Sub myform()
    Response.Write "

    "&_
    "

    "&_
    "

    "&_
    "

    "&_
    "

    "&_
    "

    "&_
    "

    验证码 &nbsp;&nbsp;&nbsp;&nbsp;"&_
    getChkCode()&"
    请填写文本框右侧的验证码
    "&_
    "

    "
    end Sub
    Rem 子函数,生成验证码(四位随机数)
    function getChkCode()
    dim ranNum
    randomize
    ranNum=int(9000*rnd)+1000
    session("chkCode") = ranNum
    getChkCode = ranNum
    end function
    Rem 提示信息
    sub message(w)
    Response.Write "

    "&_
    "

    "&_
    "

    提示信息
    "&msg&"

    "
    end sub
    %>
    以上代码展示生成验证码的一般思路,生成一个四位随机数作为验证码,这是最简单,同时也是最不安全的一种方法。
    或许你想到了,可以以每位数字对应一张图片,生成图片型的验证码,就象图片型计数器那样处理。这并不是一个好想法,它跟数值型的验证码没有本质上的区别,并不能提高安全性。
    下面,介绍如何生成图片型的验证码。
    首先,可以通过ASP生成xbm型的验证码,这的的确确是一张xbm格式的图片,而且,你可以任意设置图片的大小。为了简单起见,我们仍以数字为例。
    可以把生成验证码的代码独立出来,命名为checkcode.asp:
    <% '********************************************** '* NAME:checkcode.asp * '* CODE:netops(www.netop.cc) * '* USE:生成xbm格式的验证码 * '* TIME:2005.7 * '********************************************** on error resume next dim i dim countdata countdata="1234567890" dim rou,chkcode,chklen chkcode="" chklen = 4 randomize for i=1 to 4 rou = int(rnd*10) chkcode = chkcode + cstr(rou) next dim strDigits strDigits = Array(_ "0","0x3c","0x66","0x66","0x66","0x66","0x66","0x66","0x66","0x66","0x3c",_ "1","0x30","0x38","0x30","0x30","0x30","0x30","0x30","0x30","0x30","0x30",_ "2","0x3c","0x66","0x60","0x60","0x30","0x18","0x0c","0x06","0x06","0x7e",_ "3","0x3c","0x66","0x60","0x60","0x38","0x60","0x60","0x60","0x66","0x3c",_ "4","0x30","0x30","0x38","0x38","0x34","0x34","0x32","0x7e","0x30","0x78",_ "5","0x7e","0x06","0x06","0x06","0x3e","0x60","0x60","0x60","0x66","0x3c",_ "6","0x38","0x0c","0x06","0x06","0x3e","0x66","0x66","0x66","0x66","0x3c",_ "7","0x7e","0x66","0x60","0x60","0x30","0x30","0x18","0x18","0x0c","0x0c",_ "8","0x3c","0x66","0x66","0x66","0x3c","0x66","0x66","0x66","0x66","0x3c",_ "9","0x3c","0x66","0x66","0x66","0x66","0x7c","0x60","0x60","0x30","0x1c") dim iCharWidth,iCharHeight,theBit,theNum,iRow,k,theOffset dim imageStr imageStr = "" iCharWidth = 8 iCharHeight= 10*1 Response.ContentType ="image/x-xbitmap" Response.Expires =0 Response.Write "#define counter_width "&iCharWidth*chklen&chr(13) & chr(10) Response.Write "#define counter_height "&iCharHeight&chr(13) & chr(10) Response.Write "static unsigned char counter_bits[]={" for iRow=0 to iCharHeight-1 for i=1 to chklen theBit=mid(chkcode,i,1) k=0 do while k=ubound(strDigits) then k=0
    theOffset = k + 1
    imageStr = imageStr + (strDigits(theOffset+iRow))&","
    next
    next
    imageStr = left(imageStr,(len(imageStr)-1))
    Response.Write imageStr
    Response.Write "};"
    session("chkCode") = chkcode
    %>
    在post.asp中,定义表单时,相应的代码改为:
    REM 子过程,定义表单
    Sub myform()
    Response.Write "

    "&_
    "

    "&_
    "

    "&_
    "

    "&_
    "

    "&_
    "

    "&_
    "

    验证码 &nbsp;&nbsp;&nbsp;&nbsp;"&_
    "
    请填写文本框右侧的验证码
    "&_
    "

    "
    end Sub
    以上就是最简单的xbm型的验证码。但是这种格式的验证码,windows xp sp2的用户无法看到,原因是xp sp2取消了对xbm格式文件的支持。不过,可以通过修改注册表解决这个问题:打开注册表,找到HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerSecurity,用右键增加一个 dword 值,改名为 BlockXBM,其值为 00000000 。改好后,重新打开游览器就可以了。也可以用文件编辑器编辑一文件,内容如下:
    REGEDIT4
    [HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerSecurity]
    "BlockXBM"=dword:00000000
    将该文件保存为扩展名为reg的注册表文件,然后双击该文件即可。
    除了xbm格式的验证码,也可以利用Adodb.Stream对象,开发出更复杂的BMP型验证码,可以从http://www.netop.cc/downloads/bmpchkcode.rar得到相关程序。利用该程序,可以生成数字、字母混合,彩色,且有彩色背景的验证码。
    对于租用空间的朋友来说,使用第三方组件受到很大限制。如果拥有自己的服务器,可以试一下利用ASP绘图组件shotgraph生成验证码,该验证码是GIF格式的,具有很广泛的通用性。该组件可从http://www.netop.cc/downloads/shotgraph.zip得到。压缩包里有详细的示例程序和说明文档。
    总之,生成验证码的办法很多,现在有很多第三方组件可以帮助你生成各种样式的验证码,上网找找看吧。

  • 赞(0) 打赏
    转载请附本站链接,未经允许不得转载,,谢谢:微慑信息网-VulSee.com » [ASP] ASP与验证码

    评论 抢沙发

    微慑信息网 专注工匠精神

    微慑信息网-VulSee.com-关注前沿安全态势,聚合网络安全漏洞信息,分享安全文档案例

    访问我们联系我们

    觉得文章有用就打赏一下文章作者

    非常感谢你的打赏,我们将继续提供更多优质内容,让我们一起创建更加美好的网络世界!

    支付宝扫一扫打赏

    微信扫一扫打赏

    登录

    找回密码

    注册