一个简单的论坛灌水工具我在/index.php?prog=topic::flat&tid=219030里面回复了这样一个贴：标题是：Re:啥时候下雪啊回复内容是：下啊下啊经过截取后，得到这样的数据包：POST /index.php?prog=topic::reply&tid=219030 HTTP/1.1..Accept: image/gif,image/x-xbitmap, image/jpeg, image/pjpeg, */*..Referer:/index.php?prog=topic::flat&tid=219030..Accept-Language: zh-cn..Content-Type: application/x-www-form-urlencoded..Accept-Encoding: gzip, er-Agent: Mozilla/4.0 (compatible; MSIE 6.0;Windows NT 5.1)..Host: ..Content-Length: 509..Connection: Keep-Alive..Cache-Control: no-cache..Cookie: CEFS=56a4967e3f0923cc0b9e361d2599290f....title=Re%3A%C9%B6%CA%B1%BA%F2%CF%C2%D1%A9%B0%A1&cetag=checked&autoParseURL=checked&smiles=checked&showsign=checked&domai ns=&q=Google+Site+Search&sitesearch=&client=pub-9549696168596987&forid=1&channel=5833732144&ie=GB2312&oe=GB2312&cof=GALT%3A %23008000%3BGL%3A1%3BDIV%3A%23336699%3BVLC%3A663399%3BAH%3Acenter%3BBGC%3AFFFFFF%3BLBGC%3A 336699%3BALC%3A0000FF%3BLC%3A0000FF%3BT%3A000000%3BGFNT%3A0000FF%3BGIMP%3A0000FF%3BFORID %3A1%3B&hl=zh-CN&content=%CF%C2%B0%A1%CF%C2%B0%A1&parentid=0不要给这个数据包吓倒，实际上我们关心的只有几个地方，我都用红字标出了。

tid=219030:表示你回帖的是那个主贴Cookie: CEFS=56a4967e3f0923cc0b9e361d2599290f....：COOKIE的CEFS(它应该是标识一个特定COOKIE的32字节字符串)，用户登陆BBS后会返回一个CEFStitle=Re%3A%C9%B6%CA%B1%BA%F2%CF%C2%D1%A9%B0%：回复帖子的标题，这里的%3A%C9%B6%CA%B1%BA%F2%CF%C2%D1%A9%B0%代表的就是Re:啥时候下雪啊同理，content=%CF%C2%B0%A1%CF%C2%B0%A1&parentid=0也是代表发贴内容在这个数据包中，tid,title,content，我们都可以根据自己的需要随意改，只有cookie不可以，COOKIE的CEFS是用户登陆论坛后一个特定的标识，在同个用户的连续发贴过程中，它是可以保持不变的，关键在于我们如何获取这个CEFS，CEFS是用户在登陆论坛的时候，向服务器发送请求，服务器返回的一个标识字符串，所以在登陆论坛时，我们就要把服务器返回的CEFS记录起来，然后填写到回帖的数据包里面。

我模拟了一次登陆论坛，同时用WPE截取数据包，截取到这样的数据包：POST /index.php?prog=user::login HTTP/1.1..Accept: image/gif,image/x-xbitmap, image/jpeg,image/pjpeg, */*..Referer:/index.php?..Accept-Language: zh-cn..Content-Type: application/x-www-form-urlencoded..Accept-Encoding:gzip, er-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)..Host:..Content-Length: 70..Connection: Keep-Alive..Cache-Control: no-cache..Cookie:ce_tjbbspassword=;ce_tjbbsuserid=ername=阿东&password=XXXXXXXXX&show=1&image.x=24&image.y=13向服务器发送该数据包后，如果成功登陆，服务器返回数据包HTTP/1.1 200 OK..Date: Thu, 09 Dec 2004 13:18:18 GMT..Server: Apache/1.3.29 (Unix)mod_jk/1.2.5 PHP/4.3.4..X-Powered-By: PHP/4.3.4..Set-Cookie:CEFS=4da4e5e68db9b4750441afcb818b2c0f; path=/..Expires: Thu, 19 Nov 1981 08:52:00GMT..Cache-Control: no-store, no-cache, must-revalidate, post-check=0,pre-check=0..Pragma:no-cache..Content-Encoding: gzip..Keep-Alive: timeout=15,max=87..Connection: Keep-Alive..Transfer-Encoding: chunked..Content-Type:text/html....212..........x..SAk.@.....G.D.M....L<.".....$.638...t..od..Y(h.PW......n.<..C.......nve[....7.........Dx.B.0.........>...~.t.'G..?<......d.#`Z...`.......d.$..到目前为止，关于数据包的东西已经基本足够你写一个灌水程序了你只需要做的就是用SOCKET连接同济论坛服务器的HTTP端口，登陆，记录CEFS，利用该CEFS，每隔60秒向该端口发送数据包～～n_n~以下为灌水程序的片断(经过一些修改)：char hdrreg[]="POST /index.php?prog=user::login HTTP/1.1\r\n""Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,application/x-shockwave-flash,*/*\r\n""Referer: /index.php?\r\n""Accept-Language: zh-cn\r\n""Content-Type: application/x-www-form-urlencoded\r\n""Accept-Encoding: gzip, deflate\r\n""User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0; iOpus-I-M)\r\n" "Host: \r\n""Content-Length: %d\r\n""Connection: Keep-Alive\r\n""Cache-Control: no_cache\r\n""Cookie: ce_tjbbsuserid; ce_tjbbspassword;\r\n""\r\n";char regcontent[]="username=%s&password=%s&show=1&image.x=14&image.y=8"; char hdrreply[]="POST /index.php?prog=topic::reply&tid=%s HTTP/1.1\r\n""Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,application/x-shockwave-flash,*/*\r\n""Referer:/index.php?prog=topic::flat&tid=%s&page=end\r\n" "Accept-Language: zh-cn\r\n""Content-Type: application/x-www-form-urlencoded\r\n""Accept-Encoding: gzip, deflate\r\n""User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0; iOpus-I-M)\r\n" "Host: \r\n""Content-Length: %d\r\n""Connection: Keep-Alive\r\n""Cache-Control: no_cache\r\n""Cookie: CEFS=%s\r\n""\r\n";char rlytitle[]="title=%s&cetag=checked&autoParseURL=checked&smiles=checked&showsign=checked&content=%s&parentid=0";//登陆：char buf_h[1024];char buf_c[1024];char *p;char serverIP[]="61.129.64.163";u_short serverPort=u_short(80);destAddr = inet_addr(serverIP);memcpy(&destSockAddr.sin_addr, &destAddr, sizeof(destAddr)); destSockAddr.sin_port = htons(serverPort);destSockAddr.sin_family = AF_INET;destSocket = socket(AF_INET, SOCK_STREAM, 0);if (destSocket == INVALID_SOCKET){//errorreturn false;}status = connect(destSocket, (LPSOCKADDR)&destSockAddr,sizeof(destSockAddr));if (status == SOCKET_ERROR){//errorreturn false;}wsprintf(buf_c,regcontent,"阿东","密码****");wsprintf(buf_h,hdrreg,char(strlen(buf_c)));strcat(buf_h,buf_c);strcat(buf_h,&charend);numsnt = send(destSocket, buf_h, strlen(buf_h), 0);if (numsnt != (int)strlen(buf_h)){//errorreturn false;}numrcv=recv(destSocket, buf_h,strlen(buf_h) , 0);if ((numrcv == 0) || (numrcv == SOCKET_ERROR)){//errorreturn false;}//省略部分代码p=buf_h;p+=144;memcpy(cefs,p,4);if(cefs[0]!='C'){//errorreturn false;}p=buf_h;p+=149;memcpy(cefs,p,32);cefs[32]='{post.content}';//发贴char buf_h[1024];char buf_c[1024];//...省略部分代码char cbuf[50];char serverIP[]="61.129.64.163";u_short serverPort=u_short(80);int pid;CString strpid;while(1){destAddr = inet_addr(serverIP);memcpy(&destSockAddr.sin_addr, &destAddr, sizeof(destAddr)); destSockAddr.sin_port = htons(serverPort);destSockAddr.sin_family = AF_INET;destSocket = socket(AF_INET, SOCK_STREAM, 0);if (destSocket == INVALID_SOCKET){//errorreturn false;}status = connect(destSocket, (LPSOCKADDR)&destSockAddr, sizeof (destSockAddr));if (status == SOCKET_ERROR){//errorreturn false;}//////////////////////////wsprintf(buf_c,rlytitle,"大家好","路过，再水一下，莫怪");int len=strlen(buf_c);//随机产生要灌水的帖子PIDpid=rand()%1000;strpid.Format("%d",218000+pid);wsprintf(buf_h,hdrreply,strpid,strpid,unsigned char(len),cefs); strcat(buf_h,buf_c);//省略部分代码numsnt = send(destSocket, buf_h, strlen(buf_h), 0);if (numsnt != (int)strlen(buf_h)){//errorbreak;;}numrcv=recv(destSocket, buf_h,strlen(buf_h) , 0);if ((numrcv == 0) || (numrcv == SOCKET_ERROR)){//errorbreak;}//省略部分代码closesocket(destSocket);for (int i=0;i<60;i++){Sleep(1000);if (WaitForSingleObject(hEnd,0)!=WAIT_TIMEOUT) {return 0;}}}。