Previously deleted
I remember the last penetration test was in 1990, damn, my mind was completely blank 😅
Incident Cause#
I have played in various black and gray industries in the past few years, so after watching "All In", I became very indignant.
After watching it for the third time, I searched through all my emails, but it was useless.
Until one day, my inbox, yes, my inbox received a spam email.
It's unbelievable, it didn't go to the spam folder.
Finally, it arrived, with an excited heart and trembling hands.
Email Entrance#
The sending domain is not resolved, and the mail server is an IIS. Let's check it on fofa.
It should be a server specifically for sending spam emails, there's nothing useful to find.
QR Code Analysis#
Let's decode it first.
It seems to be this website, let's launch a precise penetration test on it 🤣
It's a live code that uses Weiyun to share files, let's get the website address again.
The short link redirects to two layers of URLs, obviously to bypass the URL security check by redirecting through legitimate websites.
This method of redirection is not a bad idea, my friends, I decided to go and make some codes for gambling first, we'll meet again in the future 🤪
Decode the URL with base64 to get the second layer of the redirect URL, the second layer is a service under Baidu, I can't tell which one it is for now.
Finally, we have the protagonist of the story.
Website Periphery#
Direct access will redirect to Baidu's error page, it seems to have UA filtering.
Don't worry, I have User-Agent Switcher and Manager
I'm in, now let's take a look at the structure of the website.
It's a pseudo-static website, any path with /h8 will return to the CMS.
The search box doesn't work either, let's try to jump out of h8, but it gives an error.
After checking, it turns out to be Ruoyi's system, but the website has a jump or whitelist issue, going back to /login
will still redirect to Baidu's error page.
Since we can't do anything on the backend, let's check fofa for a CNAME and an IP.
It's a bunch of site clusters, but there's no point in further investigation. After a quick look at the source site, there's nothing interesting. Next time, I'll bring out the port scanning.
The CNAME is quite consistent, let's check it with whois.
Website Internal#
Let's take a look at the source code.
Combining it with the frontend, I can't tell what CMS it is, and there's another layer of base64, let's decode it first.
Okay, a new domain.
I can't tell what CMS it is anymore, it seems there's no way to do anything at the website level.
Payment Side#
Payment is required to watch the video.
Looks familiar, it's YuanPay, can't get in.
There's still an Alipay payment method, seems to be self-developed, and it has Google verification code.
Summary of why the people who run h websites are so technical nowadays#
I'm a novice, I can't even stand what I'm doing.
I originally wanted to dig deeper, but now my brain has crashed. Fortunately, the domain and everything else are in China, so I'll organize the relevant information and send it to my friends in network security 😶