向诚

向诚

巷子里的猫很自由,却没有归宿。
telegram
email

Summary of reconnaissance on a certain H website 230824

Previously deleted

I remember the last penetration test was in 1990, damn, my mind was completely blank 😅

Incident Cause#

I have played in various black and gray industries in the past few years, so after watching "All In", I became very indignant.
94a1b858a53403ea2f42a0dd1277832
After watching it for the third time, I searched through all my emails, but it was useless.

Until one day, my inbox, yes, my inbox received a spam email.
It's unbelievable, it didn't go to the spam folder.

1692877033053
Finally, it arrived, with an excited heart and trembling hands.

Email Entrance#

The sending domain is not resolved, and the mail server is an IIS. Let's check it on fofa.
1692877158836
It should be a server specifically for sending spam emails, there's nothing useful to find.

QR Code Analysis#

Let's decode it first.

1692877481054

It seems to be this website, let's launch a precise penetration test on it 🤣
It's a live code that uses Weiyun to share files, let's get the website address again.

The short link redirects to two layers of URLs, obviously to bypass the URL security check by redirecting through legitimate websites.
This method of redirection is not a bad idea, my friends, I decided to go and make some codes for gambling first, we'll meet again in the future 🤪

Decode the URL with base64 to get the second layer of the redirect URL, the second layer is a service under Baidu, I can't tell which one it is for now.
1692878078435

Finally, we have the protagonist of the story.

1692888998020

Website Periphery#

1692878319416

Direct access will redirect to Baidu's error page, it seems to have UA filtering.

Don't worry, I have User-Agent Switcher and Manager
1692878377033

1692878501063
I'm in, now let's take a look at the structure of the website.

1692878558486
It's a pseudo-static website, any path with /h8 will return to the CMS.
The search box doesn't work either, let's try to jump out of h8, but it gives an error.

1692878652837
After checking, it turns out to be Ruoyi's system, but the website has a jump or whitelist issue, going back to /login will still redirect to Baidu's error page.
Since we can't do anything on the backend, let's check fofa for a CNAME and an IP.

1692886695877
1692886721142
It's a bunch of site clusters, but there's no point in further investigation. After a quick look at the source site, there's nothing interesting. Next time, I'll bring out the port scanning.

The CNAME is quite consistent, let's check it with whois.
1692886926471

Website Internal#

Let's take a look at the source code.

1692888028929
Combining it with the frontend, I can't tell what CMS it is, and there's another layer of base64, let's decode it first.

1692888115971
Okay, a new domain.

1692888138159

1692888170108

I can't tell what CMS it is anymore, it seems there's no way to do anything at the website level.

Payment Side#

Payment is required to watch the video.
1692888538140

1692888571048
Looks familiar, it's YuanPay, can't get in.

1692888636491

There's still an Alipay payment method, seems to be self-developed, and it has Google verification code.
1692888760069

1692888789302

Summary of why the people who run h websites are so technical nowadays#

I'm a novice, I can't even stand what I'm doing.
I originally wanted to dig deeper, but now my brain has crashed. Fortunately, the domain and everything else are in China, so I'll organize the relevant information and send it to my friends in network security 😶

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.