How to make an unlimited file storage system from Yandex.Disk

    This article is the final in a series of my posts about Yandex.Disk and file upload: bypassing captcha , downloading part of a file with a RANGE request from a remote source and automatic upload to Yandex.Disk . All these posts are united by one desire, to figure out exactly how the Yandex.Disk protection system works and what its disadvantages are. By no means do I want to say that non-professionals work in Yandex, on the contrary, studying the code, I came to the opposite conclusion. The only goal of this article, using Yandex.Disk as an example, to show how you can make free storage for your project from a free file hosting, is just an idea. And of course, give some thought to the developers of such services.

    So, I present to your attention an example of the use of Yandex.Disk file hosting for some purposes.

    Uploading the file is the easiest part on this system, you can read how it is done in my previous post . Next, Yandex.Disk issues a link and the next part comes into effect, bypassing the captcha .

    When the captcha is successfully passed, the system gives you a temporary link, of the form temporary_hash/ file_namethis link is only valid until you download the file completely or at least 24 hours have passed. Yandex.Disk defines this in the simplest way, HTTP Status Code 200. As soon as the server gave you such an answer, it will not give you anything else from this link. There is also a limit on the number of generated links without captcha, according to the latest data for the last 5 minutes, which does not allow you to download many files at a time. Everything seems logical? How can I get around such a "dumb counter" that simply counts how many links it gave, 1-2-3-4-5 and CAPTCHA. Yes? But this is the problem, it is here that the foundation for bypassing this system is laid. We don’t need to store 5 gigabyte files? After all, do we need to store our files 5.10, 100 megabytes? And what is this counter to us when there is an archive? Under the archive, in this particular case,

    You prepare your files in 5 gigabyte archives, and using the file download script in parts you get access to them. Even if you have 1 large file, just add 1 byte to it and everything will work. Since the link is valid for about a day, during this time you can download your files unlimitedly back. Yandex.Disk will think that you simply download the file in parts, issuing the HTTP Status Code 206 and the link will be valid even after you download the file! For this reason, a limit of 10 requests without captcha with Yandex.Bar in 5 minutes (experts will correct how much is accurate) is more than enough. And not because the developer was mistaken, but because the developer thought that the captcha protects the file, but it turns out that the captcha protects several files in one file.

    The strangest thing is that connection blocking occurs within the link, and not within the IP address, i.e. You can generate a couple of dozens of links and regenerate them as they turn off (approximately every 24 hours at the moment) and download the same file from one IP into several streams (at least I succeeded). So you will always have enough threads to download files. From time to time you will have to download the file completely so as not to prolong its life in manual mode.

    In fact, even if Yandex turns off the ability to download files without captcha, it won’t solve the problem, since you need to enter captcha only once a day (for example, enable Yandex.Disk captcha in the registration on your project) to download as much as you like from the archive whatever. If you introduce a restriction on the size of the downloaded file via the link, you can run into problems with some download managers, which, in case of errors, can reload part of the file again, especially if the file size is large and the channel is not very good.

    How can all this be used? Well, for example, you are creating the next file trash ala or photo hosting, but do not want to run into Yandex.Fotka's limitations, what is the main problem of all such projects? Right where to store files cheaply. In the case of Yandex.Disk, you can simply buy a shared / VPS hosting in Moscow and for 300 rubles get access to an unlimited 100 megabit channel to Yandex. Those. with a minimum investment you will receive a garbage dump of unlimited capacity. If you work a little, it’s realistic to make a competent project, with caching data on shared hosting and with permanent storage on Yandex.Disk.

    Of course, for large projects, such things are not done, but I think that at the initial stages of the development of your startup, the cost of servicing servers and storage systems comes to the fore, and in this case you can use this idea.

    PS This article is the result of my research and in no way encourages the use of information for personal gain. My goal is to help developers improve the security of web applications, to make them think that their application can be used not only as they originally intended, but, for example, in such a "tricky" way. That is why I will not give any source code for a complete system.

    PPS According to the results of comments in my previous post, it turned out that Yandex is loyal to this problem. Well, well, I think we will soon understand this if the scripts presented in my articles continue their work :)

    PPPS This series ends with this article, as well as my vacation and I have to go back to work again, so we should not wait for new posts soon. I hope you enjoyed my articles.

    Also popular now: