Recalling the last penetration test was in 1990, damn it, my mind was completely blank 😅
Incident Cause#
In the past few years, I've been involved in various black and gray industries, so after watching "All In", I became very indignant.
After the third time, I searched through all my emails, but it was useless.
Until one day, my inbox, yes, my inbox received a spam email.
It's unbelievable, it didn't go to the spam folder.
Finally, it arrived, with an excited heart and trembling hands.
Email Entrance#
The sending domain is not resolved, and the mail server is an IIS. I threw it into fofa.
It should be a server specifically for sending spam emails, there's nothing useful to check.
QR Code Decoding#
Decode first.
It seems to be this website, let's launch a precise penetration attack immediately 🤣
It's a live code that uses Weiyun to share files. I obtained the website address again.
The short link redirects to two layers of URLs, obviously bypassing the URL security check by redirecting through legitimate websites.
This method of redirection is not a bad idea. Brothers, I decided to go and make some codes for gambling first. We'll meet again in the future. 🤪
Decode the base64 in the URL to get the second layer of the redirect URL, which is a service owned by Baidu. It's not clear which one it is for now.
Finally, we have the protagonist of the story.
Website Periphery#
Direct access will redirect to Baidu's error page, it seems to have UA filtering.
Don't worry, I have User-Agent Switcher and Manager
I'm in, now let's take a look at the structure of the website.
It's a pseudo-static website, any path with /h8 will return to the CMS.
The search box is also not usable, let's try to jump out of h8, but it gives an error.
After checking, it turns out to be the Ruoyi system, but the website has a jump or whitelist issue. Going back to /login
will still redirect to Baidu's error page. Since we can't do anything with the backend, let's throw it into fofa and find a CNAME and an IP.
It's a bunch of station groups, there's no point in further investigation. After a quick look at the source site, there's nothing interesting. Next time, I'll bring out the port scanning.
The CNAME is quite consistent, let's check it with whois.
Website Internal#
Let's take a look at the source code.
Combining with the front-end, I can't tell what CMS it is, and there's another layer of base64, let's decode it first.
Alright, a new domain.
I can't tell what CMS it is anymore, it seems impossible to do anything at the website level.
Payment Side#
Payment is required to watch the video.
Looks familiar, it's YuanPay, can't get in.
There's still an Alipay payment method, seems to be self-developed, and it has Google Captcha.
Summary of why the people who run h websites are so technical nowadays#
I'm a novice, to the point where I can't even stand what I'm doing.
I originally wanted to dig deeper, but now my brain has crashed. Fortunately, the domain and everything else are in China. I'll organize the relevant information and send it to my friends in network security. 😶